Leatherface/mastodon
1
0
Fork 0
mirror of https://github.com/glitch-soc/mastodon.git synced 2026-03-29 03:00:33 +02:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #3419 from ClearlyClaire/glitch-soc/merge-4.4

Browse Source 
Merge upstream changes up to 1e5ac0f491 into stable-4.4
This commit is contained in:
Claire
2026-02-24 15:48:00 +01:00
committed by GitHub
parent 418370d561 f926bf9a42
commit f0b875f9c3
24 changed files with 248 additions and 81 deletions
Download Patch File Download Diff File Expand all files Collapse all files

16
CHANGELOG.md
View File

@@ -2,6 +2,22 @@
All notable changes to this project will be documented in this file.
## [4.4.14] - 2026-02-24
### Security
- Reject unconfirmed FASPs (#37926 by @oneiros, [GHSA-qgmm-vr4c-ggjg](https://github.com/mastodon/mastodon/security/advisories/GHSA-qgmm-vr4c-ggjg))
- Re-use custom socket class for FASP requests (#37925 by @oneiros, [GHSA-46w6-g98f-wxqm](https://github.com/mastodon/mastodon/security/advisories/GHSA-46w6-g98f-wxqm))
### Added
- Add `--suspended-only` option to `tootctl emoji purge` (#37828 and #37861 by @ClearlyClaire and @mjankowski)
### Fixed
- Fix custom emojis not being purged on domain suspension (#37808 by @ClearlyClaire)
- Fix processing of object updates with duplicate hashtags (#37756 by @ClearlyClaire)
## [4.4.13] - 2026-02-03
### Security

2
app/controllers/api/fasp/base_controller.rb
View File

@@ -47,7 +47,7 @@ class Api::Fasp::BaseController < ApplicationController
provider = nil
Linzer.verify!(request.rack_request, no_older_than: 5.minutes) do |keyid|
provider = Fasp::Provider.find(keyid)
provider = Fasp::Provider.confirmed.find(keyid)
Linzer.new_ed25519_public_key(provider.provider_public_key_pem, keyid)
end

2
app/lib/fasp/request.rb
View File

@@ -29,7 +29,7 @@ class Fasp::Request
response = HTTP
.headers(headers)
.use(http_signature: { key:, covered_components: COVERED_COMPONENTS })
.send(verb, url, body:)
.send(verb, url, body:, socket_class: ::Request::Socket)
validate!(response)

2
app/lib/request.rb
View File

@@ -349,5 +349,5 @@ class Request
end
end
private_constant :ClientLimit, :Socket, :ProxySocket
private_constant :ClientLimit
end

1
app/models/fasp/provider.rb
View File

@@ -34,6 +34,7 @@ class Fasp::Provider < ApplicationRecord
before_create :create_keypair
after_commit :update_remote_capabilities
scope :confirmed, -> { where(confirmed: true) }
scope :with_capability, lambda { |capability_name|
where('fasp_providers.capabilities @> ?::jsonb', "[{\"id\": \"#{capability_name}\", \"enabled\": true}]")
}

2
app/services/activitypub/process_status_update_service.rb
View File

@@ -209,7 +209,7 @@ class ActivityPub::ProcessStatusUpdateService < BaseService
Tag.find_or_create_by_names([tag]).filter(&:valid?)
rescue ActiveRecord::RecordInvalid
[]
end
end.uniq
return unless @status.distributable?

7
app/services/block_domain_service.rb
View File

@@ -29,7 +29,12 @@ class BlockDomainService < BaseService
suspend_accounts!
end
DomainClearMediaWorker.perform_async(domain_block.id) if domain_block.reject_media?
if domain_block.suspend?
# Account images and attachments are already handled by `suspend_accounts!`
PurgeCustomEmojiWorker.perform_async(blocked_domain)
elsif domain_block.reject_media?
DomainClearMediaWorker.perform_async(domain_block.id)
end
end
def silence_accounts!

15
app/workers/purge_custom_emoji_worker.rb Normal file
View File

@@ -0,0 +1,15 @@
# frozen_string_literal: true
class PurgeCustomEmojiWorker
include Sidekiq::IterableJob
def build_enumerator(domain, cursor:)
return if domain.blank?
active_record_batches_enumerator(CustomEmoji.by_domain_and_subdomains(domain), cursor:)
end
def each_iteration(custom_emojis, _domain)
AttachmentBatch.new(CustomEmoji, custom_emojis).delete
end
end

6
docker-compose.yml
View File

@@ -59,7 +59,7 @@ services:
web:
# You can uncomment the following line if you want to not use the prebuilt image, for example if you have local code changes
# build: .
image: ghcr.io/glitch-soc/mastodon:v4.4.13
image: ghcr.io/glitch-soc/mastodon:v4.4.14
restart: always
env_file: .env.production
command: bundle exec puma -C config/puma.rb
@@ -83,7 +83,7 @@ services:
# build:
# dockerfile: ./streaming/Dockerfile
# context: .
image: ghcr.io/glitch-soc/mastodon-streaming:v4.4.13
image: ghcr.io/glitch-soc/mastodon-streaming:v4.4.14
restart: always
env_file: .env.production
command: node ./streaming/index.js
@@ -102,7 +102,7 @@ services:
sidekiq:
# You can uncomment the following line if you want to not use the prebuilt image, for example if you have local code changes
# build: .
image: ghcr.io/glitch-soc/mastodon:v4.4.13
image: ghcr.io/glitch-soc/mastodon:v4.4.14
restart: always
env_file: .env.production
command: bundle exec sidekiq

16
lib/mastodon/cli/emoji.rb
View File

@@ -109,15 +109,27 @@ module Mastodon::CLI
end
option :remote_only, type: :boolean
option :suspended_only, type: :boolean
desc 'purge', 'Remove all custom emoji'
long_desc <<-LONG_DESC
Removes all custom emoji.
With the --remote-only option, only remote emoji will be deleted.
With the --suspended-only option, only emoji from suspended servers will be deleted.
LONG_DESC
def purge
scope = options[:remote_only] ? CustomEmoji.remote : CustomEmoji
scope.in_batches.destroy_all
if options[:suspended_only]
DomainBlock.where(severity: :suspend).find_each do |domain_block|
CustomEmoji.by_domain_and_subdomains(domain_block.domain).find_in_batches do |custom_emojis|
AttachmentBatch.new(CustomEmoji, custom_emojis).delete
end
end
else
scope = options[:remote_only] ? CustomEmoji.remote : CustomEmoji
scope.in_batches.destroy_all
end
say('OK', :green)
end

2
lib/mastodon/version.rb
View File

@@ -13,7 +13,7 @@ module Mastodon
end
def patch
13
14
end
def default_prerelease

18
spec/lib/fasp/request_spec.rb
View File

@@ -55,6 +55,24 @@ RSpec.describe Fasp::Request do
end
end
end
context 'when the provider host name resolves to a private address' do
around do |example|
WebMock.disable!
example.run
WebMock.enable!
end
it 'raises Mastodon::ValidationError' do
resolver = instance_double(Resolv::DNS)
allow(resolver).to receive(:getaddresses).with('reqprov.example.com').and_return(%w(0.0.0.0 2001:db8::face))
allow(resolver).to receive(:timeouts=).and_return(nil)
allow(Resolv::DNS).to receive(:open).and_yield(resolver)
expect { subject.send(method, '/test_path') }.to raise_error(Mastodon::ValidationError)
end
end
end
describe '#get' do

30
spec/lib/mastodon/cli/emoji_spec.rb
View File

@@ -23,6 +23,36 @@ RSpec.describe Mastodon::CLI::Emoji do
.to output_results('OK')
end
end
context 'with --suspended-only and existing custom emoji on blocked servers' do
let(:blocked_domain) { 'evil.com' }
let(:blocked_subdomain) { 'subdomain.evil.org' }
let(:blocked_domain_without_emoji) { 'blocked.com' }
let(:silenced_domain) { 'silenced.com' }
let(:options) { { suspended_only: true } }
before do
Fabricate(:custom_emoji)
Fabricate(:custom_emoji, domain: blocked_domain)
Fabricate(:custom_emoji, domain: blocked_subdomain)
Fabricate(:custom_emoji, domain: silenced_domain)
Fabricate(:domain_block, severity: :suspend, domain: blocked_domain)
Fabricate(:domain_block, severity: :suspend, domain: 'evil.org')
Fabricate(:domain_block, severity: :suspend, domain: blocked_domain_without_emoji)
Fabricate(:domain_block, severity: :silence, domain: silenced_domain)
end
it 'reports a successful purge' do
expect { subject }
.to output_results('OK')
.and change { CustomEmoji.by_domain_and_subdomains(blocked_domain).count }.to(0)
.and change { CustomEmoji.by_domain_and_subdomains('evil.org').count }.to(0)
.and not_change { CustomEmoji.by_domain_and_subdomains(silenced_domain).count }
.and(not_change { CustomEmoji.local.count })
end
end
end
describe '#import' do

37
spec/requests/api/fasp/data_sharing/v0/backfill_requests_spec.rb
View File

@@ -6,34 +6,33 @@ RSpec.describe 'Api::Fasp::DataSharing::V0::BackfillRequests', feature: :fasp do
include ProviderRequestHelper
describe 'POST /api/fasp/data_sharing/v0/backfill_requests' do
let(:provider) { Fabricate(:fasp_provider) }
subject do
post api_fasp_data_sharing_v0_backfill_requests_path, headers:, params:, as: :json
end
let(:provider) { Fabricate(:confirmed_fasp) }
let(:params) { { category: 'content', maxCount: 10 } }
let(:headers) do
request_authentication_headers(provider,
url: api_fasp_data_sharing_v0_backfill_requests_url,
method: :post,
body: params)
end
it_behaves_like 'forbidden for unconfirmed provider'
context 'with valid parameters' do
it 'creates a new backfill request' do
params = { category: 'content', maxCount: 10 }
headers = request_authentication_headers(provider,
url: api_fasp_data_sharing_v0_backfill_requests_url,
method: :post,
body: params)
expect do
post api_fasp_data_sharing_v0_backfill_requests_path, headers:, params:, as: :json
end.to change(Fasp::BackfillRequest, :count).by(1)
expect { subject }.to change(Fasp::BackfillRequest, :count).by(1)
expect(response).to have_http_status(201)
end
end
context 'with invalid parameters' do
it 'does not create a backfill request' do
params = { category: 'unknown', maxCount: 10 }
headers = request_authentication_headers(provider,
url: api_fasp_data_sharing_v0_backfill_requests_url,
method: :post,
body: params)
let(:params) { { category: 'unknown', maxCount: 10 } }
expect do
post api_fasp_data_sharing_v0_backfill_requests_path, headers:, params:, as: :json
end.to_not change(Fasp::BackfillRequest, :count)
it 'does not create a backfill request' do
expect { subject }.to_not change(Fasp::BackfillRequest, :count)
expect(response).to have_http_status(422)
end
end

21
spec/requests/api/fasp/data_sharing/v0/continuations_spec.rb
View File

@@ -6,15 +6,22 @@ RSpec.describe 'Api::Fasp::DataSharing::V0::Continuations', feature: :fasp do
include ProviderRequestHelper
describe 'POST /api/fasp/data_sharing/v0/backfill_requests/:id/continuations' do
let(:backfill_request) { Fabricate(:fasp_backfill_request) }
let(:provider) { backfill_request.fasp_provider }
subject do
post api_fasp_data_sharing_v0_backfill_request_continuation_path(backfill_request), headers:, as: :json
end
let(:provider) { Fabricate(:confirmed_fasp) }
let(:backfill_request) { Fabricate(:fasp_backfill_request, fasp_provider: provider) }
let(:headers) do
request_authentication_headers(provider,
url: api_fasp_data_sharing_v0_backfill_request_continuation_url(backfill_request),
method: :post)
end
it_behaves_like 'forbidden for unconfirmed provider'
it 'queues a job to continue the given backfill request' do
headers = request_authentication_headers(provider,
url: api_fasp_data_sharing_v0_backfill_request_continuation_url(backfill_request),
method: :post)
post api_fasp_data_sharing_v0_backfill_request_continuation_path(backfill_request), headers:, as: :json
subject
expect(response).to have_http_status(204)
expect(Fasp::BackfillWorker).to have_enqueued_sidekiq_job(backfill_request.id)
end

58
spec/requests/api/fasp/data_sharing/v0/event_subscriptions_spec.rb
View File

@@ -6,51 +6,57 @@ RSpec.describe 'Api::Fasp::DataSharing::V0::EventSubscriptions', feature: :fasp
include ProviderRequestHelper
describe 'POST /api/fasp/data_sharing/v0/event_subscriptions' do
let(:provider) { Fabricate(:fasp_provider) }
subject do
post api_fasp_data_sharing_v0_event_subscriptions_path, headers:, params:, as: :json
end
let(:provider) { Fabricate(:confirmed_fasp) }
let(:params) { { category: 'content', subscriptionType: 'lifecycle', maxBatchSize: 10 } }
let(:headers) do
request_authentication_headers(provider,
url: api_fasp_data_sharing_v0_event_subscriptions_url,
method: :post,
body: params)
end
it_behaves_like 'forbidden for unconfirmed provider'
context 'with valid parameters' do
it 'creates a new subscription' do
params = { category: 'content', subscriptionType: 'lifecycle', maxBatchSize: 10 }
headers = request_authentication_headers(provider,
url: api_fasp_data_sharing_v0_event_subscriptions_url,
method: :post,
body: params)
expect do
post api_fasp_data_sharing_v0_event_subscriptions_path, headers:, params:, as: :json
subject
end.to change(Fasp::Subscription, :count).by(1)
expect(response).to have_http_status(201)
end
end
context 'with invalid parameters' do
it 'does not create a subscription' do
params = { category: 'unknown' }
headers = request_authentication_headers(provider,
url: api_fasp_data_sharing_v0_event_subscriptions_url,
method: :post,
body: params)
let(:params) { { category: 'unknown' } }
expect do
post api_fasp_data_sharing_v0_event_subscriptions_path, headers:, params:, as: :json
end.to_not change(Fasp::Subscription, :count)
it 'does not create a subscription' do
expect { subject }.to_not change(Fasp::Subscription, :count)
expect(response).to have_http_status(422)
end
end
end
describe 'DELETE /api/fasp/data_sharing/v0/event_subscriptions/:id' do
let(:subscription) { Fabricate(:fasp_subscription) }
let(:provider) { subscription.fasp_provider }
subject do
delete api_fasp_data_sharing_v0_event_subscription_path(subscription), headers:, as: :json
end
let(:provider) { Fabricate(:confirmed_fasp) }
let!(:subscription) { Fabricate(:fasp_subscription, fasp_provider: provider) }
let(:headers) do
request_authentication_headers(provider,
url: api_fasp_data_sharing_v0_event_subscription_url(subscription),
method: :delete)
end
it_behaves_like 'forbidden for unconfirmed provider'
it 'deletes the subscription' do
headers = request_authentication_headers(provider,
url: api_fasp_data_sharing_v0_event_subscription_url(subscription),
method: :delete)
expect do
delete api_fasp_data_sharing_v0_event_subscription_path(subscription), headers:, as: :json
end.to change(Fasp::Subscription, :count).by(-1)
expect { subject }.to change(Fasp::Subscription, :count).by(-1)
expect(response).to have_http_status(204)
end
end

25
spec/requests/api/fasp/debug/v0/callback/responses_spec.rb
View File

@@ -6,18 +6,23 @@ RSpec.describe 'Api::Fasp::Debug::V0::Callback::Responses', feature: :fasp do
include ProviderRequestHelper
describe 'POST /api/fasp/debug/v0/callback/responses' do
let(:provider) { Fabricate(:debug_fasp) }
subject do
post api_fasp_debug_v0_callback_responses_path, headers:, params: payload, as: :json
end
let(:provider) { Fabricate(:confirmed_fasp) }
let(:payload) { { test: 'call' } }
let(:headers) do
request_authentication_headers(provider,
url: api_fasp_debug_v0_callback_responses_url,
method: :post,
body: payload)
end
it_behaves_like 'forbidden for unconfirmed provider'
it 'create a record of the callback' do
payload = { test: 'call' }
headers = request_authentication_headers(provider,
url: api_fasp_debug_v0_callback_responses_url,
method: :post,
body: payload)
expect do
post api_fasp_debug_v0_callback_responses_path, headers:, params: payload, as: :json
end.to change(Fasp::DebugCallback, :count).by(1)
expect { subject }.to change(Fasp::DebugCallback, :count).by(1)
expect(response).to have_http_status(201)
debug_callback = Fasp::DebugCallback.last

4
spec/services/activitypub/process_status_update_service_spec.rb
View File

@@ -259,6 +259,8 @@ RSpec.describe ActivityPub::ProcessStatusUpdateService do
{ type: 'Hashtag', name: 'foo' },
{ type: 'Hashtag', name: 'bar' },
{ type: 'Hashtag', name: '#2024' },
{ type: 'Hashtag', name: 'Foo Bar' },
{ type: 'Hashtag', name: 'FooBar' },
],
}
end
@@ -270,7 +272,7 @@ RSpec.describe ActivityPub::ProcessStatusUpdateService do
it 'updates tags and featured tags' do
expect { subject.call(status, json, json) }
.to change { status.tags.reload.pluck(:name) }.from(contain_exactly('test', 'foo')).to(contain_exactly('foo', 'bar'))
.to change { status.tags.reload.pluck(:name) }.from(contain_exactly('test', 'foo')).to(contain_exactly('foo', 'bar', 'foobar'))
.and change { status.account.featured_tags.find_by(name: 'test').statuses_count }.by(-1)
.and change { status.account.featured_tags.find_by(name: 'bar').statuses_count }.by(1)
.and change { status.account.featured_tags.find_by(name: 'bar').last_status_at }.from(nil).to(be_present)

13
spec/support/examples/fasp/api.rb Normal file
View File

@@ -0,0 +1,13 @@
# frozen_string_literal: true
RSpec.shared_examples 'forbidden for unconfirmed provider' do
context 'when the requesting provider is unconfirmed' do
let(:provider) { Fabricate(:fasp_provider) }
it 'returns http unauthorized' do
subject
expect(response).to have_http_status(401)
end
end
end

5
spec/workers/fasp/announce_account_lifecycle_event_worker_spec.rb
View File

@@ -6,10 +6,11 @@ RSpec.describe Fasp::AnnounceAccountLifecycleEventWorker do
include ProviderRequestHelper
let(:account_uri) { 'https://masto.example.com/accounts/1' }
let(:provider) { Fabricate(:confirmed_fasp) }
let(:subscription) do
Fabricate(:fasp_subscription, category: 'account')
Fabricate(:fasp_subscription, fasp_provider: provider, category: 'account')
end
let(:provider) { subscription.fasp_provider }
let!(:stubbed_request) do
stub_provider_request(provider,
method: :post,

5
spec/workers/fasp/announce_content_lifecycle_event_worker_spec.rb
View File

@@ -6,10 +6,11 @@ RSpec.describe Fasp::AnnounceContentLifecycleEventWorker do
include ProviderRequestHelper
let(:status_uri) { 'https://masto.example.com/status/1' }
let(:provider) { Fabricate(:confirmed_fasp) }
let(:subscription) do
Fabricate(:fasp_subscription)
Fabricate(:fasp_subscription, fasp_provider: provider)
end
let(:provider) { subscription.fasp_provider }
let!(:stubbed_request) do
stub_provider_request(provider,
method: :post,

3
spec/workers/fasp/announce_trend_worker_spec.rb
View File

@@ -6,14 +6,15 @@ RSpec.describe Fasp::AnnounceTrendWorker do
include ProviderRequestHelper
let(:status) { Fabricate(:status) }
let(:provider) { Fabricate(:confirmed_fasp) }
let(:subscription) do
Fabricate(:fasp_subscription,
fasp_provider: provider,
category: 'content',
subscription_type: 'trends',
threshold_timeframe: 15,
threshold_likes: 2)
end
let(:provider) { subscription.fasp_provider }
let!(:stubbed_request) do
stub_provider_request(provider,
method: :post,

6
spec/workers/fasp/backfill_worker_spec.rb
View File

@@ -5,8 +5,10 @@ require 'rails_helper'
RSpec.describe Fasp::BackfillWorker do
include ProviderRequestHelper
let(:backfill_request) { Fabricate(:fasp_backfill_request) }
let(:provider) { backfill_request.fasp_provider }
subject { described_class.new.perform(backfill_request.id) }
let(:provider) { Fabricate(:confirmed_fasp) }
let(:backfill_request) { Fabricate(:fasp_backfill_request, fasp_provider: provider) }
let(:status) { Fabricate(:status) }
let!(:stubbed_request) do
stub_provider_request(provider,

33
spec/workers/purge_custom_emoji_worker_spec.rb Normal file
View File

@@ -0,0 +1,33 @@
# frozen_string_literal: true
require 'rails_helper'
RSpec.describe PurgeCustomEmojiWorker do
let(:worker) { described_class.new }
let(:domain) { 'evil' }
before do
Fabricate(:custom_emoji)
Fabricate(:custom_emoji, domain: 'example.com')
Fabricate.times(5, :custom_emoji, domain: domain)
end
describe '#perform' do
context 'when domain is nil' do
it 'does not delete emojis' do
expect { worker.perform(nil) }
.to_not(change(CustomEmoji, :count))
end
end
context 'when passing a domain' do
it 'deletes emojis from this domain only' do
expect { worker.perform(domain) }
.to change { CustomEmoji.where(domain: domain).count }.to(0)
.and not_change { CustomEmoji.local.count }
.and(not_change { CustomEmoji.where(domain: 'example.com').count })
end
end
end
end