From dea5db0e25058ae81f9a5120e4154458768a28cb Mon Sep 17 00:00:00 2001 From: ThibG Date: Mon, 4 May 2020 13:52:41 +0200 Subject: Fix PgHero Content-Security-Policy when CDN_HOST is used (#13595) --- config/initializers/content_security_policy.rb | 5 +++++ 1 file changed, 5 insertions(+) (limited to 'config/initializers') diff --git a/config/initializers/content_security_policy.rb b/config/initializers/content_security_policy.rb index 654e2e8cd..f26d9c8ea 100644 --- a/config/initializers/content_security_policy.rb +++ b/config/initializers/content_security_policy.rb @@ -46,3 +46,8 @@ end # For further information see the following documentation: # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy-Report-Only # Rails.application.config.content_security_policy_report_only = true + +PgHero::HomeController.content_security_policy do |p| + p.script_src :self, :unsafe_inline, assets_host + p.style_src :self, :unsafe_inline, assets_host +end -- cgit From e1629a77585245493d4b0ffb8d612d19b53d9087 Mon Sep 17 00:00:00 2001 From: ThibG Date: Fri, 8 May 2020 21:22:57 +0200 Subject: Remove 'unsafe-inline' from Content-Security-Policy style-src (#13679) * Make sure wicg-inert doesn't rely on inline CSS * Remove unsafe-inline from style-src --- app/views/layouts/application.html.haml | 2 ++ config/initializers/content_security_policy.rb | 2 +- public/inert.css | 11 +++++++++++ 3 files changed, 14 insertions(+), 1 deletion(-) create mode 100644 public/inert.css (limited to 'config/initializers') diff --git a/app/views/layouts/application.html.haml b/app/views/layouts/application.html.haml index 25d001337..39fa0678f 100755 --- a/app/views/layouts/application.html.haml +++ b/app/views/layouts/application.html.haml @@ -26,6 +26,8 @@ = javascript_pack_tag "locale_#{I18n.locale}", integrity: true, crossorigin: 'anonymous' = csrf_meta_tags + = stylesheet_link_tag '/inert.css', skip_pipeline: true, media: 'all', id: 'inert-style' + - if Setting.custom_css.present? = stylesheet_link_tag custom_css_path, media: 'all' diff --git a/config/initializers/content_security_policy.rb b/config/initializers/content_security_policy.rb index f26d9c8ea..7dcc028ab 100644 --- a/config/initializers/content_security_policy.rb +++ b/config/initializers/content_security_policy.rb @@ -22,7 +22,7 @@ Rails.application.config.content_security_policy do |p| p.frame_ancestors :none p.font_src :self, assets_host p.img_src :self, :https, :data, :blob, assets_host - p.style_src :self, :unsafe_inline, assets_host + p.style_src :self, assets_host p.media_src :self, :https, :data, assets_host p.frame_src :self, :https p.manifest_src :self, assets_host diff --git a/public/inert.css b/public/inert.css new file mode 100644 index 000000000..275fad2e6 --- /dev/null +++ b/public/inert.css @@ -0,0 +1,11 @@ +[inert] { + pointer-events: none; + cursor: default; +} + +[inert], [inert] * { + user-select: none; + -webkit-user-select: none; + -moz-user-select: none; + -ms-user-select: none; +} -- cgit From 34756cc4e095fa4d3add5ea94c1453e6a2f33064 Mon Sep 17 00:00:00 2001 From: ThibG Date: Sat, 9 May 2020 21:06:55 +0200 Subject: Fix "tootctl media remove-orphans" crashing on “Import” files (#13685) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * Fix "tootctl media remove-orphans" crashing on “Import” files * Also remove empty directories when removing orphaned media --- config/initializers/inflections.rb | 2 ++ lib/mastodon/media_cli.rb | 9 ++++++++- 2 files changed, 10 insertions(+), 1 deletion(-) (limited to 'config/initializers') diff --git a/config/initializers/inflections.rb b/config/initializers/inflections.rb index c65153b0a..0667a542c 100644 --- a/config/initializers/inflections.rb +++ b/config/initializers/inflections.rb @@ -19,4 +19,6 @@ ActiveSupport::Inflector.inflections(:en) do |inflect| inflect.acronym 'ActivityStreams' inflect.acronym 'JsonLd' inflect.acronym 'NodeInfo' + + inflect.singular 'data', 'data' end diff --git a/lib/mastodon/media_cli.rb b/lib/mastodon/media_cli.rb index 424d65a5f..506544446 100644 --- a/lib/mastodon/media_cli.rb +++ b/lib/mastodon/media_cli.rb @@ -144,7 +144,14 @@ module Mastodon begin size = File.size(path) - File.delete(path) unless options[:dry_run] + unless options[:dry_run] + File.delete(path) + begin + FileUtils.rmdir(File.dirname(path), parents: true) + rescue Errno::ENOTEMPTY + # OK + end + end reclaimed_bytes += size removed += 1 -- cgit From 4b766f984689311523b89e1b68d2a11dff3fc396 Mon Sep 17 00:00:00 2001 From: Eugen Rochko Date: Sun, 10 May 2020 11:41:43 +0200 Subject: Refactor monkey-patching of Goldfinger (#12561) --- app/helpers/webfinger_helper.rb | 19 +++++++++++++++++++ app/models/remote_follow.rb | 3 ++- .../activitypub/fetch_remote_account_service.rb | 5 +++-- app/services/resolve_account_service.rb | 3 ++- config/initializers/http_client_proxy.rb | 20 +++++++++----------- spec/controllers/remote_follow_controller_spec.rb | 10 +++++----- 6 files changed, 40 insertions(+), 20 deletions(-) create mode 100644 app/helpers/webfinger_helper.rb (limited to 'config/initializers') diff --git a/app/helpers/webfinger_helper.rb b/app/helpers/webfinger_helper.rb new file mode 100644 index 000000000..70c493210 --- /dev/null +++ b/app/helpers/webfinger_helper.rb @@ -0,0 +1,19 @@ +# frozen_string_literal: true + +module WebfingerHelper + def webfinger!(uri) + hidden_service_uri = /\.(onion|i2p)(:\d+)?$/.match(uri) + + raise Mastodon::HostValidationError, 'Instance does not support hidden service connections' if !Rails.configuration.x.access_to_hidden_service && hidden_service_uri + + opts = { + ssl: !hidden_service_uri, + + headers: { + 'User-Agent': Mastodon::Version.user_agent, + }, + } + + Goldfinger::Client.new(uri, opts.merge(Rails.configuration.x.http_client_proxy)).finger + end +end diff --git a/app/models/remote_follow.rb b/app/models/remote_follow.rb index 5ea535287..30b84f7d5 100644 --- a/app/models/remote_follow.rb +++ b/app/models/remote_follow.rb @@ -3,6 +3,7 @@ class RemoteFollow include ActiveModel::Validations include RoutingHelper + include WebfingerHelper attr_accessor :acct, :addressable_template @@ -71,7 +72,7 @@ class RemoteFollow end def acct_resource - @acct_resource ||= Goldfinger.finger("acct:#{acct}") + @acct_resource ||= webfinger!("acct:#{acct}") rescue Goldfinger::Error, HTTP::ConnectionError nil end diff --git a/app/services/activitypub/fetch_remote_account_service.rb b/app/services/activitypub/fetch_remote_account_service.rb index d65c8f951..83fbf6d07 100644 --- a/app/services/activitypub/fetch_remote_account_service.rb +++ b/app/services/activitypub/fetch_remote_account_service.rb @@ -3,6 +3,7 @@ class ActivityPub::FetchRemoteAccountService < BaseService include JsonLdHelper include DomainControlHelper + include WebfingerHelper SUPPORTED_TYPES = %w(Application Group Organization Person Service).freeze @@ -35,12 +36,12 @@ class ActivityPub::FetchRemoteAccountService < BaseService private def verified_webfinger? - webfinger = Goldfinger.finger("acct:#{@username}@#{@domain}") + webfinger = webfinger!("acct:#{@username}@#{@domain}") confirmed_username, confirmed_domain = split_acct(webfinger.subject) return webfinger.link('self')&.href == @uri if @username.casecmp(confirmed_username).zero? && @domain.casecmp(confirmed_domain).zero? - webfinger = Goldfinger.finger("acct:#{confirmed_username}@#{confirmed_domain}") + webfinger = webfinger!("acct:#{confirmed_username}@#{confirmed_domain}") @username, @domain = split_acct(webfinger.subject) self_reference = webfinger.link('self') diff --git a/app/services/resolve_account_service.rb b/app/services/resolve_account_service.rb index 1ad9ed407..17ace100c 100644 --- a/app/services/resolve_account_service.rb +++ b/app/services/resolve_account_service.rb @@ -3,6 +3,7 @@ class ResolveAccountService < BaseService include JsonLdHelper include DomainControlHelper + include WebfingerHelper class WebfingerRedirectError < StandardError; end @@ -76,7 +77,7 @@ class ResolveAccountService < BaseService end def process_webfinger!(uri, redirected = false) - @webfinger = Goldfinger.finger("acct:#{uri}") + @webfinger = webfinger!("acct:#{uri}") confirmed_username, confirmed_domain = @webfinger.subject.gsub(/\Aacct:/, '').split('@') if confirmed_username.casecmp(@username).zero? && confirmed_domain.casecmp(@domain).zero? diff --git a/config/initializers/http_client_proxy.rb b/config/initializers/http_client_proxy.rb index 9d7b16e69..7a9b7b86d 100644 --- a/config/initializers/http_client_proxy.rb +++ b/config/initializers/http_client_proxy.rb @@ -1,24 +1,22 @@ Rails.application.configure do config.x.http_client_proxy = {} + if ENV['http_proxy'].present? proxy = URI.parse(ENV['http_proxy']) + raise "Unsupported proxy type: #{proxy.scheme}" unless %w(http https).include? proxy.scheme raise "No proxy host" unless proxy.host host = proxy.host host = host[1...-1] if host[0] == '[' # for IPv6 address - config.x.http_client_proxy[:proxy] = { proxy_address: host, proxy_port: proxy.port, proxy_username: proxy.user, proxy_password: proxy.password }.compact + + config.x.http_client_proxy[:proxy] = { + proxy_address: host, + proxy_port: proxy.port, + proxy_username: proxy.user, + proxy_password: proxy.password, + }.compact end config.x.access_to_hidden_service = ENV['ALLOW_ACCESS_TO_HIDDEN_SERVICE'] == 'true' end - -module Goldfinger - def self.finger(uri, opts = {}) - to_hidden = /\.(onion|i2p)(:\d+)?$/.match(uri) - raise Mastodon::HostValidationError, 'Instance does not support hidden service connections' if !Rails.configuration.x.access_to_hidden_service && to_hidden - opts = { ssl: !to_hidden, headers: {} }.merge(Rails.configuration.x.http_client_proxy).merge(opts) - opts[:headers]['User-Agent'] ||= Mastodon::Version.user_agent - Goldfinger::Client.new(uri, opts).finger - end -end diff --git a/spec/controllers/remote_follow_controller_spec.rb b/spec/controllers/remote_follow_controller_spec.rb index d79dd2949..3ef8f14d9 100644 --- a/spec/controllers/remote_follow_controller_spec.rb +++ b/spec/controllers/remote_follow_controller_spec.rb @@ -35,7 +35,7 @@ describe RemoteFollowController do context 'when webfinger values are wrong' do it 'renders new when redirect url is nil' do resource_with_nil_link = double(link: nil) - allow(Goldfinger).to receive(:finger).with('acct:user@example.com').and_return(resource_with_nil_link) + allow_any_instance_of(WebfingerHelper).to receive(:webfinger!).with('acct:user@example.com').and_return(resource_with_nil_link) post :create, params: { account_username: @account.to_param, remote_follow: { acct: 'user@example.com' } } expect(response).to render_template(:new) @@ -45,7 +45,7 @@ describe RemoteFollowController do it 'renders new when template is nil' do link_with_nil_template = double(template: nil) resource_with_link = double(link: link_with_nil_template) - allow(Goldfinger).to receive(:finger).with('acct:user@example.com').and_return(resource_with_link) + allow_any_instance_of(WebfingerHelper).to receive(:webfinger!).with('acct:user@example.com').and_return(resource_with_link) post :create, params: { account_username: @account.to_param, remote_follow: { acct: 'user@example.com' } } expect(response).to render_template(:new) @@ -57,7 +57,7 @@ describe RemoteFollowController do before do link_with_template = double(template: 'http://example.com/follow_me?acct={uri}') resource_with_link = double(link: link_with_template) - allow(Goldfinger).to receive(:finger).with('acct:user@example.com').and_return(resource_with_link) + allow_any_instance_of(WebfingerHelper).to receive(:webfinger!).with('acct:user@example.com').and_return(resource_with_link) post :create, params: { account_username: @account.to_param, remote_follow: { acct: 'user@example.com' } } end @@ -79,7 +79,7 @@ describe RemoteFollowController do end it 'renders new with error when goldfinger fails' do - allow(Goldfinger).to receive(:finger).with('acct:user@example.com').and_raise(Goldfinger::Error) + allow_any_instance_of(WebfingerHelper).to receive(:webfinger!).with('acct:user@example.com').and_raise(Goldfinger::Error) post :create, params: { account_username: @account.to_param, remote_follow: { acct: 'user@example.com' } } expect(response).to render_template(:new) @@ -87,7 +87,7 @@ describe RemoteFollowController do end it 'renders new when occur HTTP::ConnectionError' do - allow(Goldfinger).to receive(:finger).with('acct:user@unknown').and_raise(HTTP::ConnectionError) + allow_any_instance_of(WebfingerHelper).to receive(:webfinger!).with('acct:user@unknown').and_raise(HTTP::ConnectionError) post :create, params: { account_username: @account.to_param, remote_follow: { acct: 'user@unknown' } } expect(response).to render_template(:new) -- cgit