about summary refs log tree commit diff
AgeCommit message (Collapse)Author
2022-01-28Fix Sidekiq warnings about JSON serialization (#17381)Claire
* Fix Sidekiq warnings about JSON serialization This occurs on every symbol argument we pass, and every symbol key in hashes, because Sidekiq expects strings instead. See https://github.com/mperham/sidekiq/pull/5071 We do not need to change how workers parse their arguments because this has not changed and we were already converting to symbols adequately or using `with_indifferent_access`. * Set Sidekiq to raise on unsafe arguments in test mode In order to more easily catch issues that would produce warnings in production code.
2022-01-27Fix some old database migrations (#17379)Claire
2022-01-27Bump pg from 1.2.3 to 1.3.0 (#17349)dependabot[bot]
Bumps [pg](https://github.com/ged/ruby-pg) from 1.2.3 to 1.3.0. - [Release notes](https://github.com/ged/ruby-pg/releases) - [Changelog](https://github.com/ged/ruby-pg/blob/master/History.rdoc) - [Commits](https://github.com/ged/ruby-pg/compare/v1.2.3...v1.3.0) --- updated-dependencies: - dependency-name: pg dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2022-01-27Bump axios from 0.24.0 to 0.25.0 (#17354)dependabot[bot]
Bumps [axios](https://github.com/axios/axios) from 0.24.0 to 0.25.0. - [Release notes](https://github.com/axios/axios/releases) - [Changelog](https://github.com/axios/axios/blob/master/CHANGELOG.md) - [Commits](https://github.com/axios/axios/compare/v0.24.0...v0.25.0) --- updated-dependencies: - dependency-name: axios dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2022-01-27Bump rdf-normalize from 0.4.0 to 0.5.0 (#17226)dependabot[bot]
Bumps [rdf-normalize](https://github.com/ruby-rdf/rdf-normalize) from 0.4.0 to 0.5.0. - [Release notes](https://github.com/ruby-rdf/rdf-normalize/releases) - [Commits](https://github.com/ruby-rdf/rdf-normalize/compare/0.4.0...0.5.0) --- updated-dependencies: - dependency-name: rdf-normalize dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2022-01-26Merge branch 'main' into glitch-soc/merge-upstreamClaire
Conflicts: - `config/environments/production.rb`: Upstream changed a header but we had different default headers. Applied the same change, and also dropped HSTS headers redundant with Rails'.
2022-01-26Fix local distribution of edited statuses (#17380)Claire
Because `FanOutOnWriteService#update?` was broken, edits were considered as new toots and a regular `update` payload was sent.
2022-01-26Add healthcheck for sidekiq (#17365)Su Yang
2022-01-26Fix poll updates being saved as status edits (#17373)Eugen Rochko
Fix #17344
2022-01-26Merge pull request #1667 from ClearlyClaire/glitch-soc/fixes/hcaptcha-textClaire
Improve explanations around the hCaptcha feature
2022-01-26Add link to /about/more to the CAPTCHA verification pageClaire
2022-01-26Add some explanation text on the CAPTCHA confirmation pageClaire
2022-01-26Add mention of accessibility issues to hCaptcha option in admin pageClaire
2022-01-26Merge pull request #1665 from ClearlyClaire/glitch-soc/features/hcaptchaClaire
Add optional hCaptcha support
2022-01-25Change CAPTCHA handling to be only on email verificationClaire
This simplifies the implementation considerably, and while not providing ideal UX, it's the most flexible approach.
2022-01-25Add ability to set hCaptcha either on registration form or on e-mail validationClaire
Upshot of CAPTCHA on e-mail validation is it does not need to break the in-band registration API.
2022-01-25Disable `registrations` flag in /api/v1/instance when CAPTCHA is enabledClaire
This is to avoid apps trying and failing at using the registrations API, which does not let us require a CAPTCHA and cannot be clearly signaled as unavailable.
2022-01-25Bump sass from 1.48.0 to 1.49.0 (#17352)dependabot[bot]
Bumps [sass](https://github.com/sass/dart-sass) from 1.48.0 to 1.49.0. - [Release notes](https://github.com/sass/dart-sass/releases) - [Changelog](https://github.com/sass/dart-sass/blob/main/CHANGELOG.md) - [Commits](https://github.com/sass/dart-sass/compare/1.48.0...1.49.0) --- updated-dependencies: - dependency-name: sass dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2022-01-25Bump json-ld-preloaded from 3.1.6 to 3.2.0 (#17353)dependabot[bot]
Bumps [json-ld-preloaded](https://github.com/ruby-rdf/json-ld-preloaded) from 3.1.6 to 3.2.0. - [Release notes](https://github.com/ruby-rdf/json-ld-preloaded/releases) - [Commits](https://github.com/ruby-rdf/json-ld-preloaded/compare/3.1.6...3.2.0) --- updated-dependencies: - dependency-name: json-ld-preloaded dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2022-01-25Bump fabrication from 2.23.1 to 2.24.0 (#17356)dependabot[bot]
Bumps [fabrication](https://github.com/paulelliott/fabrication) from 2.23.1 to 2.24.0. - [Release notes](https://github.com/paulelliott/fabrication/releases) - [Changelog](https://github.com/paulelliott/fabrication/blob/master/Changelog.markdown) - [Commits](https://github.com/paulelliott/fabrication/commits) --- updated-dependencies: - dependency-name: fabrication dependency-type: direct:development update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2022-01-25Bump sidekiq from 6.3.1 to 6.4.0 (#17350)dependabot[bot]
Bumps [sidekiq](https://github.com/mperham/sidekiq) from 6.3.1 to 6.4.0. - [Release notes](https://github.com/mperham/sidekiq/releases) - [Changelog](https://github.com/mperham/sidekiq/blob/main/Changes.md) - [Commits](https://github.com/mperham/sidekiq/compare/v6.3.1...v6.4.0) --- updated-dependencies: - dependency-name: sidekiq dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2022-01-25Bump @babel/plugin-transform-runtime from 7.16.8 to 7.16.10 (#17361)dependabot[bot]
Bumps [@babel/plugin-transform-runtime](https://github.com/babel/babel/tree/HEAD/packages/babel-plugin-transform-runtime) from 7.16.8 to 7.16.10. - [Release notes](https://github.com/babel/babel/releases) - [Changelog](https://github.com/babel/babel/blob/main/CHANGELOG.md) - [Commits](https://github.com/babel/babel/commits/v7.16.10/packages/babel-plugin-transform-runtime) --- updated-dependencies: - dependency-name: "@babel/plugin-transform-runtime" dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2022-01-25Bump cld3 from 3.4.3 to 3.4.4 (#17357)dependabot[bot]
Bumps [cld3](https://github.com/akihikodaki/cld3-ruby) from 3.4.3 to 3.4.4. - [Release notes](https://github.com/akihikodaki/cld3-ruby/releases) - [Commits](https://github.com/akihikodaki/cld3-ruby/compare/v3.4.3...v3.4.4) --- updated-dependencies: - dependency-name: cld3 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2022-01-25Bump aws-sdk-s3 from 1.111.1 to 1.111.3 (#17368)dependabot[bot]
Bumps [aws-sdk-s3](https://github.com/aws/aws-sdk-ruby) from 1.111.1 to 1.111.3. - [Release notes](https://github.com/aws/aws-sdk-ruby/releases) - [Changelog](https://github.com/aws/aws-sdk-ruby/blob/version-3/gems/aws-sdk-s3/CHANGELOG.md) - [Commits](https://github.com/aws/aws-sdk-ruby/commits) --- updated-dependencies: - dependency-name: aws-sdk-s3 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2022-01-25Bump bootsnap from 1.10.1 to 1.10.2 (#17367)dependabot[bot]
Bumps [bootsnap](https://github.com/Shopify/bootsnap) from 1.10.1 to 1.10.2. - [Release notes](https://github.com/Shopify/bootsnap/releases) - [Changelog](https://github.com/Shopify/bootsnap/blob/main/CHANGELOG.md) - [Commits](https://github.com/Shopify/bootsnap/compare/v1.10.1...v1.10.2) --- updated-dependencies: - dependency-name: bootsnap dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2022-01-25Bump node-fetch from 2.6.1 to 2.6.7 (#17366)dependabot[bot]
Bumps [node-fetch](https://github.com/node-fetch/node-fetch) from 2.6.1 to 2.6.7. - [Release notes](https://github.com/node-fetch/node-fetch/releases) - [Commits](https://github.com/node-fetch/node-fetch/compare/v2.6.1...v2.6.7) --- updated-dependencies: - dependency-name: node-fetch dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2022-01-25Bump nanoid from 3.1.23 to 3.2.0 (#17342)dependabot[bot]
Bumps [nanoid](https://github.com/ai/nanoid) from 3.1.23 to 3.2.0. - [Release notes](https://github.com/ai/nanoid/releases) - [Changelog](https://github.com/ai/nanoid/blob/main/CHANGELOG.md) - [Commits](https://github.com/ai/nanoid/compare/3.1.23...3.2.0) --- updated-dependencies: - dependency-name: nanoid dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2022-01-25Bump @babel/preset-env from 7.16.8 to 7.16.11 (#17358)dependabot[bot]
Bumps [@babel/preset-env](https://github.com/babel/babel/tree/HEAD/packages/babel-preset-env) from 7.16.8 to 7.16.11. - [Release notes](https://github.com/babel/babel/releases) - [Changelog](https://github.com/babel/babel/blob/main/CHANGELOG.md) - [Commits](https://github.com/babel/babel/commits/v7.16.11/packages/babel-preset-env) --- updated-dependencies: - dependency-name: "@babel/preset-env" dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2022-01-25Bump rubocop from 1.24.1 to 1.25.0 (#17322)dependabot[bot]
Bumps [rubocop](https://github.com/rubocop/rubocop) from 1.24.1 to 1.25.0. - [Release notes](https://github.com/rubocop/rubocop/releases) - [Changelog](https://github.com/rubocop/rubocop/blob/master/CHANGELOG.md) - [Commits](https://github.com/rubocop/rubocop/compare/v1.24.1...v1.25.0) --- updated-dependencies: - dependency-name: rubocop dependency-type: direct:development update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2022-01-25Bump @babel/core from 7.16.7 to 7.16.12 (#17360)dependabot[bot]
Bumps [@babel/core](https://github.com/babel/babel/tree/HEAD/packages/babel-core) from 7.16.7 to 7.16.12. - [Release notes](https://github.com/babel/babel/releases) - [Changelog](https://github.com/babel/babel/blob/main/CHANGELOG.md) - [Commits](https://github.com/babel/babel/commits/v7.16.12/packages/babel-core) --- updated-dependencies: - dependency-name: "@babel/core" dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2022-01-25Bump rails from 6.1.4.1 to 6.1.4.4 (#17159)dependabot[bot]
* Bump rails from 6.1.4.1 to 6.1.4.4 Bumps [rails](https://github.com/rails/rails) from 6.1.4.1 to 6.1.4.4. - [Release notes](https://github.com/rails/rails/releases) - [Commits](https://github.com/rails/rails/compare/v6.1.4.1...v6.1.4.4) --- updated-dependencies: - dependency-name: rails dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> * Revert marcel to 1.0.1 Avoid some regression that need to be investigated Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Claire <claire.github-309c@sitedethib.com>
2022-01-24Disable captcha if registrations are disabled for various reasonsClaire
2022-01-24Renew Rails session ID on successful registrationClaire
2022-01-24Fix testsClaire
2022-01-24Please CodeClimateClaire
2022-01-24Add optional hCaptcha supportClaire
Fixes #1649 This requires setting `HCAPTCHA_SECRET_KEY` and `HCAPTCHA_SITE_KEY`, then enabling the admin setting at `/admin/settings/edit#form_admin_settings_captcha_enabled` Subsequently, a hCaptcha widget will be displayed on `/about` and `/auth/sign_up` unless: - the user is already signed-up already - the user has used an invite link - the user has already solved the captcha (and registration failed for another reason) The Content-Security-Policy headers are altered automatically to allow the third-party hCaptcha scripts on `/about` and `/auth/sign_up` following the same rules as above.
2022-01-24disable legacy XSS filtering (#17289)Wonderfall
Browsers are phasing out X-XSS-Protection, but Safari and IE still support it.
2022-01-24Fix link_to_login argument handling when a block is passed (#17345)Claire
2022-01-23Merge pull request #1663 from ClearlyClaire/glitch-soc/merge-upstreamClaire
Merge upstream changes
2022-01-23[Glitch] Change `percent` to `rate` in retention metrics APIClaire
Port a63495230a3a28e022504f36356cd75b17b635ba to glitch-soc Signed-off-by: Claire <claire.github-309c@sitedethib.com>
2022-01-23[Glitch] Fix text being incorrectly pre-selected in composer textarea on /shareClaire
Port 3a103cd317fd56aca27fca01e03647df44e3ffd2 to glitch-soc Signed-off-by: Claire <claire.github-309c@sitedethib.com>
2022-01-23Merge branch 'main' into glitch-soc/merge-upstreamClaire
Conflicts: - `spec/models/status_spec.rb`: Upstream added tests too close to glitch-soc-specific tests. Kept both tests.
2022-01-23Fix error-prone SQL queries (#15828)Claire
* Fix error-prone SQL queries in Account search While this code seems to not present an actual vulnerability, one could easily be introduced by mistake due to how the query is built. This PR parameterises the `to_tsquery` input to make the query more robust. * Harden code for Status#tagged_with_all and Status#tagged_with_none Those two scopes aren't used in a way that could be vulnerable to an SQL injection, but keeping them unchanged might be a hazard. * Remove unneeded spaces surrounding tsquery term * Please CodeClimate * Move advanced_search_for SQL template to its own function This avoids one level of indentation while making clearer that the SQL template isn't build from all the dynamic parameters of advanced_search_for. * Add tests covering tagged_with, tagged_with_all and tagged_with_none * Rewrite tagged_with_none to avoid multiple joins and make it more robust * Remove obsolete brakeman warnings * Revert "Remove unneeded spaces surrounding tsquery term" The two queries are not strictly equivalent. This reverts commit 86f16c537e06c6ba4a8b250f25dcce9f049023ff.
2022-01-23Change `percent` to `rate` in retention metrics API (#16910)Claire
2022-01-23Add OMNIAUTH_ONLY environment variable to enforce externa log-in (#17288)Claire
* Remove support for OAUTH_REDIRECT_AT_SIGN_IN Fixes #15959 Introduced in #6540, OAUTH_REDIRECT_AT_SIGN_IN allowed skipping the log-in form to instead redirect to the external OmniAuth login provider. However, it did not prevent the log-in form on /about introduced by #10232 from appearing, and completely broke with the introduction of #15228. As I restoring that previous log-in flow without introducing a security vulnerability may require extensive care and knowledge of how OmniAuth works, this commit removes support for OAUTH_REDIRECT_AT_SIGN_IN instead for the time being. * Add OMNIAUTH_ONLY environment variable to enforce external log-in only * Disable user registration when OMNIAUTH_ONLY is set to true * Replace log-in links When OMNIAUTH_ONLY is set with exactly one OmniAuth provider
2022-01-23Remove support for OAUTH_REDIRECT_AT_SIGN_IN (#17287)Claire
Fixes #15959 Introduced in #6540, OAUTH_REDIRECT_AT_SIGN_IN allowed skipping the log-in form to instead redirect to the external OmniAuth login provider. However, it did not prevent the log-in form on /about introduced by #10232 from appearing, and completely broke with the introduction of #15228. As I restoring that previous log-in flow without introducing a security vulnerability may require extensive care and knowledge of how OmniAuth works, this commit removes support for OAUTH_REDIRECT_AT_SIGN_IN instead for the time being.
2022-01-23Remove leftover database columns from Devise::Models::Rememberable (#17191)Claire
* Remove leftover database columns from Devise::Models::Rememberable * Update fix-duplication maintenance script * Improve errors/warnings in the fix-duplicates maintenance script
2022-01-23Remove old duplicate index (#17245)Claire
Some Mastodon versions (v1.1 and v1.2) had a duplicate index in `db/schema.rb` without any migration script creating it. #2224 (included in v1.3) removed the duplicate index from the file but did not provide a migration script to remove it. This means that any instance that was installed from v1.1 or v1.2's source code has a duplicate index and a corresponding warning in PgHero. Instances set up using an earlier or later Mastodon version do not have this issue. This PR removes the duplicate index if it is present.
2022-01-20Fix text being incorrectly pre-selected in composer textarea on /share (#17339)Claire
Fixes #17295
2022-01-20Change mastodon:webpush:generate_vapid_key task to not require functional ↵Claire
env (#17338) Fixes #17297