Leatherface/mastodon
1
0
Fork 0
mirror of https://github.com/glitch-soc/mastodon.git synced 2025-12-11 14:30:35 +00:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #3233 from ClearlyClaire/glitch-soc/merge-4.3

Browse Source 
Merge upstream changes up to 6dee9a12d2 into stable-4.3
This commit is contained in:
Claire
2025-10-13 16:15:00 +02:00
committed by GitHub
parent 90955d4ca5 f97834019a
commit 99efed9aee
11 changed files with 116 additions and 36 deletions
Download Patch File Download Diff File Expand all files Collapse all files

13
CHANGELOG.md
View File

@@ -2,6 +2,19 @@
All notable changes to this project will be documented in this file.
## [4.3.14] - 2025-10-13
### Security
- Update dependencies `rack` and `uri`
- Fix streaming server connection not being closed on user suspension (by @ThisIsMissEm, [GHSA-r2fh-jr9c-9pxh](https://github.com/mastodon/mastodon/security/advisories/GHSA-r2fh-jr9c-9pxh))
- Fix password change through admin CLI not invalidating existing sessions and access tokens (by @ThisIsMissEm, [GHSA-f3q3-rmf7-9655](https://github.com/mastodon/mastodon/security/advisories/GHSA-f3q3-rmf7-9655))
- Fix streaming server allowing access to public timelines even without the `read` or `read:statuses` OAuth scopes (by @ThisIsMissEm, [GHSA-7gwh-mw97-qjgp](https://github.com/mastodon/mastodon/security/advisories/GHSA-7gwh-mw97-qjgp))
### Fixed
- Fix redirect to external object when URL is missing or malformed (#36347 by @ClearlyClaire)
## [4.3.13] - 2025-09-23
### Security

4
Gemfile.lock
View File

@@ -492,7 +492,7 @@ GEM
validate_email
validate_url
webfinger (~> 1.2)
openssl (3.2.0)
openssl (3.2.2)
openssl-signature_algorithm (1.3.0)
openssl (> 2.0)
opentelemetry-api (1.4.0)
@@ -619,7 +619,7 @@ GEM
activesupport (>= 3.0.0)
raabro (1.4.0)
racc (1.8.1)
rack (2.2.19)
rack (2.2.20)
rack-attack (6.7.0)
rack (>= 1.0, < 4)
rack-cors (2.0.2)

4
app/models/concerns/account/suspensions.rb
View File

@@ -32,6 +32,10 @@ module Account::Suspensions
update!(suspended_at: date, suspension_origin: origin)
create_canonical_email_block! if block_email
end
# This terminates all connections for the given account with the streaming
# server:
redis.publish("timeline:system:#{id}", Oj.dump(event: :kill)) if local?
end
def unsuspend!

17
app/models/user.rb
View File

@@ -183,6 +183,10 @@ class User < ApplicationRecord
def disable!
update!(disabled: true)
# This terminates all connections for the given account with the streaming
# server:
redis.publish("timeline:system:#{account.id}", Oj.dump(event: :kill))
end
def enable!
@@ -360,17 +364,22 @@ class User < ApplicationRecord
end
def reset_password!
# First, change password to something random, this revokes sessions and on-going access:
change_password!(SecureRandom.hex)
# Finally, send a reset password prompt to the user
send_reset_password_instructions
end
def change_password!(new_password)
# First, change password to something random and deactivate all sessions
transaction do
update(password: SecureRandom.hex)
update(password: new_password)
session_activations.destroy_all
end
# Then, remove all authorized applications and connected push subscriptions
revoke_access!
# Finally, send a reset password prompt to the user
send_reset_password_instructions
end
protected

6
docker-compose.yml
View File

@@ -59,7 +59,7 @@ services:
web:
# You can uncomment the following line if you want to not use the prebuilt image, for example if you have local code changes
# build: .
image: ghcr.io/glitch-soc/mastodon:v4.3.13
image: ghcr.io/glitch-soc/mastodon:v4.3.14
restart: always
env_file: .env.production
command: bundle exec puma -C config/puma.rb
@@ -83,7 +83,7 @@ services:
# build:
# dockerfile: ./streaming/Dockerfile
# context: .
image: ghcr.io/glitch-soc/mastodon-streaming:v4.3.13
image: ghcr.io/glitch-soc/mastodon-streaming:v4.3.14
restart: always
env_file: .env.production
command: node ./streaming/index.js
@@ -102,7 +102,7 @@ services:
sidekiq:
# You can uncomment the following line if you want to not use the prebuilt image, for example if you have local code changes
# build: .
image: ghcr.io/glitch-soc/mastodon:v4.3.13
image: ghcr.io/glitch-soc/mastodon:v4.3.14
restart: always
env_file: .env.production
command: bundle exec sidekiq

7
lib/mastodon/cli/accounts.rb
View File

@@ -159,14 +159,17 @@ module Mastodon::CLI
user.role_id = nil
end
password = SecureRandom.hex if options[:reset_password]
user.password = password if options[:reset_password]
user.email = options[:email] if options[:email]
user.disabled = false if options[:enable]
user.disabled = true if options[:disable]
user.approved = true if options[:approve]
user.otp_required_for_login = false if options[:disable_2fa]
# Password changes are a little different, as we also need to ensure
# sessions, subscriptions, and access tokens are revoked after changing:
password = SecureRandom.hex if options[:reset_password]
user.change_password!(password) if options[:reset_password]
if user.save
user.confirm if options[:confirm]

2
lib/mastodon/version.rb
View File

@@ -13,7 +13,7 @@ module Mastodon
end
def patch
13
14
end
def default_prerelease

13
spec/lib/mastodon/cli/accounts_spec.rb
View File

@@ -335,11 +335,20 @@ RSpec.describe Mastodon::CLI::Accounts do
context 'with --reset-password option' do
let(:options) { { reset_password: true } }
let(:user) { Fabricate(:user, password: original_password) }
let(:original_password) { 'foobar12345' }
let(:new_password) { 'new_password12345' }
it 'returns a new password for the user' do
allow(SecureRandom).to receive(:hex).and_return('new_password')
allow(SecureRandom).to receive(:hex).and_return(new_password)
allow(Account).to receive(:find_local).and_return(user.account)
allow(user).to receive(:change_password!).and_call_original
expect { subject }
.to output_results('new_password')
.to output_results(new_password)
expect(user).to have_received(:change_password!).with(new_password)
expect(user.reload).to_not be_external_or_valid_password(original_password)
end
end

11
spec/models/user_spec.rb
View File

@@ -432,12 +432,15 @@ RSpec.describe User do
let(:current_sign_in_at) { Time.zone.now }
before do
user.disable!
end
it 'disables user' do
allow(redis).to receive(:publish)
user.disable!
expect(user).to have_attributes(disabled: true)
expect(redis)
.to have_received(:publish).with("timeline:system:#{user.account.id}", Oj.dump(event: :kill)).once
end
end

48
spec/system/streaming/streaming_spec.rb
View File

@@ -74,4 +74,52 @@ RSpec.describe 'Streaming', :inline_jobs, :streaming do
expect(streaming_client.open?).to be(false)
end
end
context 'with a disabled user account' do
before do
user.disable!
end
it 'receives an 401 unauthorized error when trying to connect' do
streaming_client.connect
expect(streaming_client.status).to eq(401)
expect(streaming_client.open?).to be(false)
end
end
context 'when the user account is disabled whilst connected' do
it 'terminates the connection for the user' do
streaming_client.connect
user.disable!
expect(streaming_client.wait_for(:closed).code).to be(1000)
expect(streaming_client.open?).to be(false)
end
end
context 'with a suspended user account' do
before do
user.account.suspend!
end
it 'receives an 401 unauthorized error when trying to connect' do
streaming_client.connect
expect(streaming_client.status).to eq(401)
expect(streaming_client.open?).to be(false)
end
end
context 'when the user account is suspended whilst connected' do
it 'terminates the connection for the user' do
streaming_client.connect
user.account.suspend!
expect(streaming_client.wait_for(:closed).code).to be(1000)
expect(streaming_client.open?).to be(false)
end
end
end

27
streaming/index.js
View File

@@ -78,16 +78,6 @@ const parseJSON = (json, req) => {
}
};
const PUBLIC_CHANNELS = [
'public',
'public:media',
'public:local',
'public:local:media',
'public:remote',
'public:remote:media',
'hashtag',
'hashtag:local',
];
// Used for priming the counters/gauges for the various metrics that are
// per-channel
@@ -97,7 +87,14 @@ const CHANNEL_NAMES = [
'user:notification',
'list',
'direct',
...PUBLIC_CHANNELS
'public',
'public:media',
'public:local',
'public:local:media',
'public:remote',
'public:remote:media',
'hashtag',
'hashtag:local'
];
const startServer = async () => {
@@ -354,7 +351,7 @@ const startServer = async () => {
* @returns {Promise<ResolvedAccount>}
*/
const accountFromToken = async (token, req) => {
const result = await pgPool.query('SELECT oauth_access_tokens.id, oauth_access_tokens.resource_owner_id, users.account_id, users.chosen_languages, oauth_access_tokens.scopes FROM oauth_access_tokens INNER JOIN users ON oauth_access_tokens.resource_owner_id = users.id WHERE oauth_access_tokens.token = $1 AND oauth_access_tokens.revoked_at IS NULL LIMIT 1', [token]);
const result = await pgPool.query('SELECT oauth_access_tokens.id, oauth_access_tokens.resource_owner_id, users.account_id, users.chosen_languages, oauth_access_tokens.scopes FROM oauth_access_tokens INNER JOIN users ON oauth_access_tokens.resource_owner_id = users.id INNER JOIN accounts ON accounts.id = users.account_id WHERE oauth_access_tokens.token = $1 AND oauth_access_tokens.revoked_at IS NULL AND users.disabled IS FALSE AND accounts.suspended_at IS NULL LIMIT 1', [token]);
if (result.rows.length === 0) {
throw new AuthenticationError('Invalid access token');
@@ -433,12 +430,6 @@ const startServer = async () => {
const checkScopes = (req, logger, channelName) => new Promise((resolve, reject) => {
logger.debug(`Checking OAuth scopes for ${channelName}`);
// When accessing public channels, no scopes are needed
if (channelName && PUBLIC_CHANNELS.includes(channelName)) {
resolve();
return;
}
// The `read` scope has the highest priority, if the token has it
// then it can access all streams
const requiredScopes = ['read'];