Leatherface/mastodon
1
0
Fork 0
mirror of https://github.com/glitch-soc/mastodon.git synced 2025-12-11 14:30:35 +00:00
Code Issues Packages Projects Releases Wiki Activity

Merge commit '6dee9a12d2c2c3671ad9f4bc035f050a7c9549c5' into glitch-soc/merge-4.3

Browse Source
This commit is contained in:
Claire
2025-10-13 15:58:48 +02:00
parent 90955d4ca5 6dee9a12d2
commit f97834019a
11 changed files with 116 additions and 36 deletions
Download Patch File Download Diff File Expand all files Collapse all files

13
CHANGELOG.md
View File

@@ -2,6 +2,19 @@
All notable changes to this project will be documented in this file.
## [4.3.14] - 2025-10-13
### Security
- Update dependencies `rack` and `uri`
- Fix streaming server connection not being closed on user suspension (by @ThisIsMissEm, [GHSA-r2fh-jr9c-9pxh](https://github.com/mastodon/mastodon/security/advisories/GHSA-r2fh-jr9c-9pxh))
- Fix password change through admin CLI not invalidating existing sessions and access tokens (by @ThisIsMissEm, [GHSA-f3q3-rmf7-9655](https://github.com/mastodon/mastodon/security/advisories/GHSA-f3q3-rmf7-9655))
- Fix streaming server allowing access to public timelines even without the `read` or `read:statuses` OAuth scopes (by @ThisIsMissEm, [GHSA-7gwh-mw97-qjgp](https://github.com/mastodon/mastodon/security/advisories/GHSA-7gwh-mw97-qjgp))
### Fixed
- Fix redirect to external object when URL is missing or malformed (#36347 by @ClearlyClaire)
## [4.3.13] - 2025-09-23
### Security

4
Gemfile.lock
View File

@@ -492,7 +492,7 @@ GEM
validate_email
validate_url
webfinger (~> 1.2)
openssl (3.2.0)
openssl (3.2.2)
openssl-signature_algorithm (1.3.0)
openssl (> 2.0)
opentelemetry-api (1.4.0)
@@ -619,7 +619,7 @@ GEM
activesupport (>= 3.0.0)
raabro (1.4.0)
racc (1.8.1)
rack (2.2.19)
rack (2.2.20)
rack-attack (6.7.0)
rack (>= 1.0, < 4)
rack-cors (2.0.2)

4
app/models/concerns/account/suspensions.rb
View File

@@ -32,6 +32,10 @@ module Account::Suspensions
update!(suspended_at: date, suspension_origin: origin)
create_canonical_email_block! if block_email
end
# This terminates all connections for the given account with the streaming
# server:
redis.publish("timeline:system:#{id}", Oj.dump(event: :kill)) if local?
end
def unsuspend!

17
app/models/user.rb
View File

@@ -183,6 +183,10 @@ class User < ApplicationRecord
def disable!
update!(disabled: true)
# This terminates all connections for the given account with the streaming
# server:
redis.publish("timeline:system:#{account.id}", Oj.dump(event: :kill))
end
def enable!
@@ -360,17 +364,22 @@ class User < ApplicationRecord
end
def reset_password!
# First, change password to something random, this revokes sessions and on-going access:
change_password!(SecureRandom.hex)
# Finally, send a reset password prompt to the user
send_reset_password_instructions
end
def change_password!(new_password)
# First, change password to something random and deactivate all sessions
transaction do
update(password: SecureRandom.hex)
update(password: new_password)
session_activations.destroy_all
end
# Then, remove all authorized applications and connected push subscriptions
revoke_access!
# Finally, send a reset password prompt to the user
send_reset_password_instructions
end
protected

6
docker-compose.yml
View File

@@ -59,7 +59,7 @@ services:
web:
# You can uncomment the following line if you want to not use the prebuilt image, for example if you have local code changes
# build: .
image: ghcr.io/glitch-soc/mastodon:v4.3.13
image: ghcr.io/glitch-soc/mastodon:v4.3.14
restart: always
env_file: .env.production
command: bundle exec puma -C config/puma.rb
@@ -83,7 +83,7 @@ services:
# build:
# dockerfile: ./streaming/Dockerfile
# context: .
image: ghcr.io/glitch-soc/mastodon-streaming:v4.3.13
image: ghcr.io/glitch-soc/mastodon-streaming:v4.3.14
restart: always
env_file: .env.production
command: node ./streaming/index.js
@@ -102,7 +102,7 @@ services:
sidekiq:
# You can uncomment the following line if you want to not use the prebuilt image, for example if you have local code changes
# build: .
image: ghcr.io/glitch-soc/mastodon:v4.3.13
image: ghcr.io/glitch-soc/mastodon:v4.3.14
restart: always
env_file: .env.production
command: bundle exec sidekiq

7
lib/mastodon/cli/accounts.rb
View File

@@ -159,14 +159,17 @@ module Mastodon::CLI
user.role_id = nil
end
password = SecureRandom.hex if options[:reset_password]
user.password = password if options[:reset_password]
user.email = options[:email] if options[:email]
user.disabled = false if options[:enable]
user.disabled = true if options[:disable]
user.approved = true if options[:approve]
user.otp_required_for_login = false if options[:disable_2fa]
# Password changes are a little different, as we also need to ensure
# sessions, subscriptions, and access tokens are revoked after changing:
password = SecureRandom.hex if options[:reset_password]
user.change_password!(password) if options[:reset_password]
if user.save
user.confirm if options[:confirm]

2
lib/mastodon/version.rb
View File

@@ -13,7 +13,7 @@ module Mastodon
end
def patch
13
14
end
def default_prerelease

13
spec/lib/mastodon/cli/accounts_spec.rb
View File

@@ -335,11 +335,20 @@ RSpec.describe Mastodon::CLI::Accounts do
context 'with --reset-password option' do
let(:options) { { reset_password: true } }
let(:user) { Fabricate(:user, password: original_password) }
let(:original_password) { 'foobar12345' }
let(:new_password) { 'new_password12345' }
it 'returns a new password for the user' do
allow(SecureRandom).to receive(:hex).and_return('new_password')
allow(SecureRandom).to receive(:hex).and_return(new_password)
allow(Account).to receive(:find_local).and_return(user.account)
allow(user).to receive(:change_password!).and_call_original
expect { subject }
.to output_results('new_password')
.to output_results(new_password)
expect(user).to have_received(:change_password!).with(new_password)
expect(user.reload).to_not be_external_or_valid_password(original_password)
end
end

11
spec/models/user_spec.rb
View File

@@ -432,12 +432,15 @@ RSpec.describe User do
let(:current_sign_in_at) { Time.zone.now }
before do
user.disable!
end
it 'disables user' do
allow(redis).to receive(:publish)
user.disable!
expect(user).to have_attributes(disabled: true)
expect(redis)
.to have_received(:publish).with("timeline:system:#{user.account.id}", Oj.dump(event: :kill)).once
end
end

48
spec/system/streaming/streaming_spec.rb
View File

@@ -74,4 +74,52 @@ RSpec.describe 'Streaming', :inline_jobs, :streaming do
expect(streaming_client.open?).to be(false)
end
end
context 'with a disabled user account' do
before do
user.disable!
end
it 'receives an 401 unauthorized error when trying to connect' do
streaming_client.connect
expect(streaming_client.status).to eq(401)
expect(streaming_client.open?).to be(false)
end
end
context 'when the user account is disabled whilst connected' do
it 'terminates the connection for the user' do
streaming_client.connect
user.disable!
expect(streaming_client.wait_for(:closed).code).to be(1000)
expect(streaming_client.open?).to be(false)
end
end
context 'with a suspended user account' do
before do
user.account.suspend!
end
it 'receives an 401 unauthorized error when trying to connect' do
streaming_client.connect
expect(streaming_client.status).to eq(401)
expect(streaming_client.open?).to be(false)
end
end
context 'when the user account is suspended whilst connected' do
it 'terminates the connection for the user' do
streaming_client.connect
user.account.suspend!
expect(streaming_client.wait_for(:closed).code).to be(1000)
expect(streaming_client.open?).to be(false)
end
end
end

27
streaming/index.js
View File

@@ -78,16 +78,6 @@ const parseJSON = (json, req) => {
}
};
const PUBLIC_CHANNELS = [
'public',
'public:media',
'public:local',
'public:local:media',
'public:remote',
'public:remote:media',
'hashtag',
'hashtag:local',
];
// Used for priming the counters/gauges for the various metrics that are
// per-channel
@@ -97,7 +87,14 @@ const CHANNEL_NAMES = [
'user:notification',
'list',
'direct',
...PUBLIC_CHANNELS
'public',
'public:media',
'public:local',
'public:local:media',
'public:remote',
'public:remote:media',
'hashtag',
'hashtag:local'
];
const startServer = async () => {
@@ -354,7 +351,7 @@ const startServer = async () => {
* @returns {Promise<ResolvedAccount>}
*/
const accountFromToken = async (token, req) => {
const result = await pgPool.query('SELECT oauth_access_tokens.id, oauth_access_tokens.resource_owner_id, users.account_id, users.chosen_languages, oauth_access_tokens.scopes FROM oauth_access_tokens INNER JOIN users ON oauth_access_tokens.resource_owner_id = users.id WHERE oauth_access_tokens.token = $1 AND oauth_access_tokens.revoked_at IS NULL LIMIT 1', [token]);
const result = await pgPool.query('SELECT oauth_access_tokens.id, oauth_access_tokens.resource_owner_id, users.account_id, users.chosen_languages, oauth_access_tokens.scopes FROM oauth_access_tokens INNER JOIN users ON oauth_access_tokens.resource_owner_id = users.id INNER JOIN accounts ON accounts.id = users.account_id WHERE oauth_access_tokens.token = $1 AND oauth_access_tokens.revoked_at IS NULL AND users.disabled IS FALSE AND accounts.suspended_at IS NULL LIMIT 1', [token]);
if (result.rows.length === 0) {
throw new AuthenticationError('Invalid access token');
@@ -433,12 +430,6 @@ const startServer = async () => {
const checkScopes = (req, logger, channelName) => new Promise((resolve, reject) => {
logger.debug(`Checking OAuth scopes for ${channelName}`);
// When accessing public channels, no scopes are needed
if (channelName && PUBLIC_CHANNELS.includes(channelName)) {
resolve();
return;
}
// The `read` scope has the highest priority, if the token has it
// then it can access all streams
const requiredScopes = ['read'];