From 0a630a1bc3c2557c45675455c9838a20f69b6781 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 10 Feb 2021 09:55:51 +0900 Subject: Bump aws-sdk-s3 from 1.87.0 to 1.88.0 (#15667) Bumps [aws-sdk-s3](https://github.com/aws/aws-sdk-ruby) from 1.87.0 to 1.88.0. - [Release notes](https://github.com/aws/aws-sdk-ruby/releases) - [Changelog](https://github.com/aws/aws-sdk-ruby/blob/master/gems/aws-sdk-s3/CHANGELOG.md) - [Commits](https://github.com/aws/aws-sdk-ruby/commits) Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- Gemfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'Gemfile') diff --git a/Gemfile b/Gemfile index 9443725ee..78cb44168 100644 --- a/Gemfile +++ b/Gemfile @@ -17,7 +17,7 @@ gem 'makara', '~> 0.5' gem 'pghero', '~> 2.7' gem 'dotenv-rails', '~> 2.7' -gem 'aws-sdk-s3', '~> 1.87', require: false +gem 'aws-sdk-s3', '~> 1.88', require: false gem 'fog-core', '<= 2.1.0' gem 'fog-openstack', '~> 0.3', require: false gem 'paperclip', '~> 6.0' -- cgit From e79f8dd85cb63125185fdf711f470c298a0b5dbc Mon Sep 17 00:00:00 2001 From: Cecylia Bocovich Date: Wed, 10 Feb 2021 22:40:13 -0500 Subject: Onion service related changes to HTTPS handling (#15560) * Enable secure cookie flag for https only * Disable force_ssl for .onion hosts only Co-authored-by: Aiden McClelland --- Gemfile | 2 ++ Gemfile.lock | 4 ++++ app/controllers/application_controller.rb | 2 +- app/lib/webfinger.rb | 12 ++++++++++-- config/initializers/devise.rb | 6 ------ config/initializers/makara.rb | 1 - config/initializers/secureheaders.rb | 10 ++++++++++ config/initializers/session_store.rb | 1 - 8 files changed, 27 insertions(+), 11 deletions(-) create mode 100644 config/initializers/secureheaders.rb (limited to 'Gemfile') diff --git a/Gemfile b/Gemfile index 78cb44168..8d8542f83 100644 --- a/Gemfile +++ b/Gemfile @@ -161,3 +161,5 @@ gem 'connection_pool', require: false gem 'xorcist', '~> 1.1' gem 'pluck_each', '~> 0.1.3' + +gem 'secure_headers', '~> 3.5' diff --git a/Gemfile.lock b/Gemfile.lock index bd32f72a7..4237d6bba 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -571,6 +571,8 @@ GEM scenic (1.5.4) activerecord (>= 4.0.0) railties (>= 4.0.0) + secure_headers (3.9.0) + useragent securecompare (1.0.0) semantic_range (2.3.0) sidekiq (6.1.3) @@ -652,6 +654,7 @@ GEM unf_ext (0.0.7.7) unicode-display_width (1.7.0) uniform_notifier (1.13.2) + useragent (0.16.10) warden (1.2.9) rack (>= 2.0.9) webauthn (3.0.0.alpha1) @@ -795,6 +798,7 @@ DEPENDENCIES ruby-progressbar (~> 1.11) sanitize (~> 5.2) scenic (~> 1.5) + secure_headers (~> 3.5) sidekiq (~> 6.1) sidekiq-bulk (~> 0.2.0) sidekiq-scheduler (~> 3.0) diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb index 44616d6e5..c9311c1b6 100644 --- a/app/controllers/application_controller.rb +++ b/app/controllers/application_controller.rb @@ -43,7 +43,7 @@ class ApplicationController < ActionController::Base private def https_enabled? - Rails.env.production? && !request.path.start_with?('/health') + Rails.env.production? && !request.path.start_with?('/health') && !request.headers["Host"].ends_with?(".onion") end def authorized_fetch_mode? diff --git a/app/lib/webfinger.rb b/app/lib/webfinger.rb index 702365939..40795a7aa 100644 --- a/app/lib/webfinger.rb +++ b/app/lib/webfinger.rb @@ -88,10 +88,18 @@ class Webfinger end def standard_url - "https://#{@domain}/.well-known/webfinger?resource=#{@uri}" + if @domain.ends_with? ".onion" + "http://#{@domain}/.well-known/webfinger?resource=#{@uri}" + else + "https://#{@domain}/.well-known/webfinger?resource=#{@uri}" + end end def host_meta_url - "https://#{@domain}/.well-known/host-meta" + if @domain.ends_with? ".onion" + "http://#{@domain}/.well-known/host-meta" + else + "https://#{@domain}/.well-known/host-meta" + end end end diff --git a/config/initializers/devise.rb b/config/initializers/devise.rb index ef612e177..d3757b0d3 100644 --- a/config/initializers/devise.rb +++ b/config/initializers/devise.rb @@ -9,7 +9,6 @@ Warden::Manager.after_set_user except: :fetch do |user, warden| value: session_id, expires: 1.year.from_now, httponly: true, - secure: (Rails.env.production? || ENV['LOCAL_HTTPS'] == 'true'), same_site: :lax, } end @@ -20,7 +19,6 @@ Warden::Manager.after_fetch do |user, warden| value: warden.cookies.signed['_session_id'] || warden.raw_session['auth_id'], expires: 1.year.from_now, httponly: true, - secure: (Rails.env.production? || ENV['LOCAL_HTTPS'] == 'true'), same_site: :lax, } else @@ -229,10 +227,6 @@ Devise.setup do |config| # If true, extends the user's remember period when remembered via cookie. # config.extend_remember_period = false - # Options to be passed to the created cookie. For instance, you can set - # secure: true in order to force SSL only cookies. - config.rememberable_options = { secure: true } - # ==> Configuration for :validatable # Range for password length. config.password_length = 8..72 diff --git a/config/initializers/makara.rb b/config/initializers/makara.rb index dc88fa63c..afd29eda8 100644 --- a/config/initializers/makara.rb +++ b/config/initializers/makara.rb @@ -1,2 +1 @@ Makara::Cookie::DEFAULT_OPTIONS[:same_site] = :lax -Makara::Cookie::DEFAULT_OPTIONS[:secure] = Rails.env.production? || ENV['LOCAL_HTTPS'] == 'true' diff --git a/config/initializers/secureheaders.rb b/config/initializers/secureheaders.rb new file mode 100644 index 000000000..6c8ac7fbe --- /dev/null +++ b/config/initializers/secureheaders.rb @@ -0,0 +1,10 @@ +SecureHeaders::Configuration.default do |config| + config.cookies = { + secure: true, + httponly: true, + samesite: { + lax: true + } + } + config.csp = SecureHeaders::OPT_OUT +end diff --git a/config/initializers/session_store.rb b/config/initializers/session_store.rb index e5d1be4c6..7e3471ac4 100644 --- a/config/initializers/session_store.rb +++ b/config/initializers/session_store.rb @@ -2,6 +2,5 @@ Rails.application.config.session_store :cookie_store, { key: '_mastodon_session', - secure: (Rails.env.production? || ENV['LOCAL_HTTPS'] == 'true'), same_site: :lax, } -- cgit From c3d1b7a2f5cf8e2f6b3490400b335024f0d34e12 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 11 Feb 2021 20:51:09 +0900 Subject: Bump bootsnap from 1.5.1 to 1.7.1 (#15669) Bumps [bootsnap](https://github.com/Shopify/bootsnap) from 1.5.1 to 1.7.1. - [Release notes](https://github.com/Shopify/bootsnap/releases) - [Changelog](https://github.com/Shopify/bootsnap/blob/master/CHANGELOG.md) - [Commits](https://github.com/Shopify/bootsnap/compare/v1.5.1...v1.7.1) Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- Gemfile | 2 +- Gemfile.lock | 6 +++--- 2 files changed, 4 insertions(+), 4 deletions(-) (limited to 'Gemfile') diff --git a/Gemfile b/Gemfile index 8d8542f83..6eacd2499 100644 --- a/Gemfile +++ b/Gemfile @@ -27,7 +27,7 @@ gem 'blurhash', '~> 0.1' gem 'active_model_serializers', '~> 0.10' gem 'addressable', '~> 2.7' -gem 'bootsnap', '~> 1.5', require: false +gem 'bootsnap', '~> 1.7', require: false gem 'browser' gem 'charlock_holmes', '~> 0.7.7' gem 'iso-639' diff --git a/Gemfile.lock b/Gemfile.lock index 4237d6bba..debeeb4e6 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -104,7 +104,7 @@ GEM debug_inspector (>= 0.0.1) blurhash (0.1.4) ffi (~> 1.10.0) - bootsnap (1.5.1) + bootsnap (1.7.1) msgpack (~> 1.0) brakeman (4.10.1) browser (4.2.0) @@ -354,7 +354,7 @@ GEM mini_mime (1.0.2) mini_portile2 (2.5.0) minitest (5.14.3) - msgpack (1.3.3) + msgpack (1.4.2) multi_json (1.15.0) multipart-post (2.1.1) net-ldap (0.17.0) @@ -699,7 +699,7 @@ DEPENDENCIES better_errors (~> 2.9) binding_of_caller (~> 1.0) blurhash (~> 0.1) - bootsnap (~> 1.5) + bootsnap (~> 1.7) brakeman (~> 4.10) browser bullet (~> 6.1) -- cgit From 69c1889a6aa063bc7d3a26e4e24ae72dc409ddea Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 11 Feb 2021 20:58:46 +0900 Subject: Bump rack-attack from 6.4.0 to 6.5.0 (#15671) Bumps [rack-attack](https://github.com/rack/rack-attack) from 6.4.0 to 6.5.0. - [Release notes](https://github.com/rack/rack-attack/releases) - [Changelog](https://github.com/rack/rack-attack/blob/master/CHANGELOG.md) - [Commits](https://github.com/rack/rack-attack/compare/v6.4.0...v6.5.0) Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- Gemfile | 2 +- Gemfile.lock | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) (limited to 'Gemfile') diff --git a/Gemfile b/Gemfile index 6eacd2499..259e41782 100644 --- a/Gemfile +++ b/Gemfile @@ -73,7 +73,7 @@ gem 'parallel', '~> 1.20' gem 'posix-spawn' gem 'pundit', '~> 2.1' gem 'premailer-rails' -gem 'rack-attack', '~> 6.4' +gem 'rack-attack', '~> 6.5' gem 'rack-cors', '~> 1.1', require: 'rack/cors' gem 'rails-i18n', '~> 5.1' gem 'rails-settings-cached', '~> 0.6' diff --git a/Gemfile.lock b/Gemfile.lock index a6d8a2cda..a8d8da539 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -439,7 +439,7 @@ GEM raabro (1.3.3) racc (1.5.2) rack (2.2.3) - rack-attack (6.4.0) + rack-attack (6.5.0) rack (>= 1.0, < 3) rack-cors (1.1.1) rack (>= 2.0.0) @@ -779,7 +779,7 @@ DEPENDENCIES puma (~> 5.1) pundit (~> 2.1) rack (~> 2.2.3) - rack-attack (~> 6.4) + rack-attack (~> 6.5) rack-cors (~> 1.1) rails (~> 5.2.4.4) rails-controller-testing (~> 1.0) -- cgit From 3fcc6b9aff1ccadeca158ad6b909f46b9e9a30be Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 12 Feb 2021 00:10:00 +0900 Subject: Bump rubocop from 1.8.1 to 1.9.1 (#15677) * Bump rubocop from 1.8.1 to 1.9.1 Bumps [rubocop](https://github.com/rubocop-hq/rubocop) from 1.8.1 to 1.9.1. - [Release notes](https://github.com/rubocop-hq/rubocop/releases) - [Changelog](https://github.com/rubocop-hq/rubocop/blob/master/CHANGELOG.md) - [Commits](https://github.com/rubocop-hq/rubocop/compare/v1.8.1...v1.9.1) Signed-off-by: dependabot[bot] * Fix .codeclimate.yml Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Yamagishi Kazutoshi --- .codeclimate.yml | 2 +- Gemfile | 2 +- Gemfile.lock | 8 ++++---- 3 files changed, 6 insertions(+), 6 deletions(-) (limited to 'Gemfile') diff --git a/.codeclimate.yml b/.codeclimate.yml index 62dc2334c..8701e5f3d 100644 --- a/.codeclimate.yml +++ b/.codeclimate.yml @@ -30,7 +30,7 @@ plugins: channel: eslint-7 rubocop: enabled: true - channel: rubocop-1-8-1 + channel: rubocop-1-9-1 sass-lint: enabled: true exclude_patterns: diff --git a/Gemfile b/Gemfile index 259e41782..ade780d3a 100644 --- a/Gemfile +++ b/Gemfile @@ -138,7 +138,7 @@ group :development do gem 'letter_opener', '~> 1.7' gem 'letter_opener_web', '~> 1.4' gem 'memory_profiler' - gem 'rubocop', '~> 1.8', require: false + gem 'rubocop', '~> 1.9', require: false gem 'rubocop-rails', '~> 2.9', require: false gem 'brakeman', '~> 4.10', require: false gem 'bundler-audit', '~> 0.7', require: false diff --git a/Gemfile.lock b/Gemfile.lock index a8d8da539..ee0c08da5 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -72,7 +72,7 @@ GEM activerecord (>= 3.2, < 7.0) rake (>= 10.4, < 14.0) arel (9.0.0) - ast (2.4.1) + ast (2.4.2) attr_encrypted (3.1.0) encryptor (~> 3.0.0) av (0.9.0) @@ -541,7 +541,7 @@ GEM rspec-support (3.10.1) rspec_junit_formatter (0.4.1) rspec-core (>= 2, < 4, != 2.12.0) - rubocop (1.8.1) + rubocop (1.9.1) parallel (~> 1.10) parser (>= 3.0.0.0) rainbow (>= 2.2.2, < 4.0) @@ -550,7 +550,7 @@ GEM rubocop-ast (>= 1.2.0, < 2.0) ruby-progressbar (~> 1.7) unicode-display_width (>= 1.4.0, < 3.0) - rubocop-ast (1.4.0) + rubocop-ast (1.4.1) parser (>= 2.7.1.5) rubocop-rails (2.9.1) activesupport (>= 4.2.0) @@ -793,7 +793,7 @@ DEPENDENCIES rspec-rails (~> 4.0) rspec-sidekiq (~> 3.1) rspec_junit_formatter (~> 0.4) - rubocop (~> 1.8) + rubocop (~> 1.9) rubocop-rails (~> 2.9) ruby-progressbar (~> 1.11) sanitize (~> 5.2) -- cgit From 01e44b886dd03722507da3a799967ba2cab714ad Mon Sep 17 00:00:00 2001 From: Claire Date: Thu, 11 Feb 2021 19:20:58 +0100 Subject: Downgrade bootsnap to 1.6.0 (#15711) * Revert "Bump bootsnap from 1.5.1 to 1.7.1 (#15669)" This reverts commit c3d1b7a2f5cf8e2f6b3490400b335024f0d34e12. * Downgrade bootsnap to 1.6.0 --- Gemfile | 2 +- Gemfile.lock | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) (limited to 'Gemfile') diff --git a/Gemfile b/Gemfile index ade780d3a..8fd9fb3e2 100644 --- a/Gemfile +++ b/Gemfile @@ -27,7 +27,7 @@ gem 'blurhash', '~> 0.1' gem 'active_model_serializers', '~> 0.10' gem 'addressable', '~> 2.7' -gem 'bootsnap', '~> 1.7', require: false +gem 'bootsnap', '~> 1.6.0', require: false gem 'browser' gem 'charlock_holmes', '~> 0.7.7' gem 'iso-639' diff --git a/Gemfile.lock b/Gemfile.lock index ee0c08da5..3780e3a29 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -104,7 +104,7 @@ GEM debug_inspector (>= 0.0.1) blurhash (0.1.4) ffi (~> 1.10.0) - bootsnap (1.7.1) + bootsnap (1.6.0) msgpack (~> 1.0) brakeman (4.10.1) browser (4.2.0) @@ -699,7 +699,7 @@ DEPENDENCIES better_errors (~> 2.9) binding_of_caller (~> 1.0) blurhash (~> 0.1) - bootsnap (~> 1.7) + bootsnap (~> 1.6.0) brakeman (~> 4.10) browser bullet (~> 6.1) -- cgit From 21fb3f3684782628319a0d6339dd9fd446c2b673 Mon Sep 17 00:00:00 2001 From: Claire Date: Thu, 11 Feb 2021 23:47:05 +0100 Subject: Drop dependency on secure_headers, fix response headers (#15712) * Drop dependency on secure_headers, use always_write_cookie instead * Fix cookies in Tor Hidden Services by moving configuration to application.rb * Instead of setting always_write_cookie at boot, monkey-patch ActionDispatch --- Gemfile | 2 -- Gemfile.lock | 4 ---- config/application.rb | 1 + config/initializers/devise.rb | 6 ++++++ config/initializers/makara.rb | 1 + config/initializers/secureheaders.rb | 10 ---------- config/initializers/session_store.rb | 1 + lib/action_dispatch/cookie_jar_extensions.rb | 15 +++++++++++++++ 8 files changed, 24 insertions(+), 16 deletions(-) delete mode 100644 config/initializers/secureheaders.rb create mode 100644 lib/action_dispatch/cookie_jar_extensions.rb (limited to 'Gemfile') diff --git a/Gemfile b/Gemfile index 8fd9fb3e2..713e5600e 100644 --- a/Gemfile +++ b/Gemfile @@ -161,5 +161,3 @@ gem 'connection_pool', require: false gem 'xorcist', '~> 1.1' gem 'pluck_each', '~> 0.1.3' - -gem 'secure_headers', '~> 3.5' diff --git a/Gemfile.lock b/Gemfile.lock index 3780e3a29..e508b0b0c 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -571,8 +571,6 @@ GEM scenic (1.5.4) activerecord (>= 4.0.0) railties (>= 4.0.0) - secure_headers (3.9.0) - useragent securecompare (1.0.0) semantic_range (2.3.0) sidekiq (6.1.3) @@ -654,7 +652,6 @@ GEM unf_ext (0.0.7.7) unicode-display_width (1.7.0) uniform_notifier (1.13.2) - useragent (0.16.10) warden (1.2.9) rack (>= 2.0.9) webauthn (3.0.0.alpha1) @@ -798,7 +795,6 @@ DEPENDENCIES ruby-progressbar (~> 1.11) sanitize (~> 5.2) scenic (~> 1.5) - secure_headers (~> 3.5) sidekiq (~> 6.1) sidekiq-bulk (~> 0.2.0) sidekiq-scheduler (~> 3.0) diff --git a/config/application.rb b/config/application.rb index a45ac1860..116eaf29d 100644 --- a/config/application.rb +++ b/config/application.rb @@ -25,6 +25,7 @@ require_relative '../lib/devise/two_factor_pam_authenticatable' require_relative '../lib/chewy/strategy/custom_sidekiq' require_relative '../lib/webpacker/manifest_extensions' require_relative '../lib/webpacker/helper_extensions' +require_relative '../lib/action_dispatch/cookie_jar_extensions' require_relative '../lib/rails/engine_extensions' Dotenv::Railtie.load diff --git a/config/initializers/devise.rb b/config/initializers/devise.rb index d3757b0d3..ef612e177 100644 --- a/config/initializers/devise.rb +++ b/config/initializers/devise.rb @@ -9,6 +9,7 @@ Warden::Manager.after_set_user except: :fetch do |user, warden| value: session_id, expires: 1.year.from_now, httponly: true, + secure: (Rails.env.production? || ENV['LOCAL_HTTPS'] == 'true'), same_site: :lax, } end @@ -19,6 +20,7 @@ Warden::Manager.after_fetch do |user, warden| value: warden.cookies.signed['_session_id'] || warden.raw_session['auth_id'], expires: 1.year.from_now, httponly: true, + secure: (Rails.env.production? || ENV['LOCAL_HTTPS'] == 'true'), same_site: :lax, } else @@ -227,6 +229,10 @@ Devise.setup do |config| # If true, extends the user's remember period when remembered via cookie. # config.extend_remember_period = false + # Options to be passed to the created cookie. For instance, you can set + # secure: true in order to force SSL only cookies. + config.rememberable_options = { secure: true } + # ==> Configuration for :validatable # Range for password length. config.password_length = 8..72 diff --git a/config/initializers/makara.rb b/config/initializers/makara.rb index afd29eda8..dc88fa63c 100644 --- a/config/initializers/makara.rb +++ b/config/initializers/makara.rb @@ -1 +1,2 @@ Makara::Cookie::DEFAULT_OPTIONS[:same_site] = :lax +Makara::Cookie::DEFAULT_OPTIONS[:secure] = Rails.env.production? || ENV['LOCAL_HTTPS'] == 'true' diff --git a/config/initializers/secureheaders.rb b/config/initializers/secureheaders.rb deleted file mode 100644 index 6c8ac7fbe..000000000 --- a/config/initializers/secureheaders.rb +++ /dev/null @@ -1,10 +0,0 @@ -SecureHeaders::Configuration.default do |config| - config.cookies = { - secure: true, - httponly: true, - samesite: { - lax: true - } - } - config.csp = SecureHeaders::OPT_OUT -end diff --git a/config/initializers/session_store.rb b/config/initializers/session_store.rb index 7e3471ac4..e5d1be4c6 100644 --- a/config/initializers/session_store.rb +++ b/config/initializers/session_store.rb @@ -2,5 +2,6 @@ Rails.application.config.session_store :cookie_store, { key: '_mastodon_session', + secure: (Rails.env.production? || ENV['LOCAL_HTTPS'] == 'true'), same_site: :lax, } diff --git a/lib/action_dispatch/cookie_jar_extensions.rb b/lib/action_dispatch/cookie_jar_extensions.rb new file mode 100644 index 000000000..44c39c1f8 --- /dev/null +++ b/lib/action_dispatch/cookie_jar_extensions.rb @@ -0,0 +1,15 @@ +# frozen_string_literal: true + +module ActionDispatch + module CookieJarExtensions + private + + # Monkey-patch ActionDispatch to serve secure cookies to Tor Hidden Service + # users. Otherwise, ActionDispatch would drop the cookie over HTTP. + def write_cookie?(*) + request.headers['Host'].ends_with?('.onion') || super + end + end +end + +ActionDispatch::Cookies::CookieJar.prepend(ActionDispatch::CookieJarExtensions) -- cgit