Merge pull request #19 from est-social/update-4.2.13

Update to 4.2.13

.bundler-audit.yml

@@ -4,3 +4,7 @@ ignore:
   # We have rate-limits on authentication endpoints in place (including second
   # factor verification) since Mastodon v3.2.0
   - CVE-2024-0227
+  # devise-two-factor advisory about generated secrets being weaker than expected
+  # We call `generate_otp_secret` ourselves with a requested length of 32 characters,
+  # which exceeds the recommended remediation of 26 characters, so we're safe
+  - CVE-2024-8796

CHANGELOG.md

@@ -2,6 +2,66 @@
 
 All notable changes to this project will be documented in this file.
 
+## [4.2.13] - 2024-09-30
+
+### Security
+
+- Fix ReDoS vulnerability on some Ruby versions ([GHSA-jpxp-r43f-rhvx](https://github.com/mastodon/mastodon/security/advisories/GHSA-jpxp-r43f-rhvx))
+- Update dependencies
+
+### Added
+
+- Add “A Mastodon update is available.” message on admin dashboard for non-bugfix updates (#32106 by @ClearlyClaire)
+
+### Changed
+
+- Change Mastodon to issue correct HTTP signatures by default (#31994 by @ClearlyClaire)
+
+### Fixed
+
+- Fix replies collection being cached improperly
+- Fix security context sometimes not being added in LD-Signed activities (#31871 by @ClearlyClaire)
+- Fix error when encountering reblog of deleted post in feed rebuild (#32001 by @ClearlyClaire)
+
+## [4.2.12] - 2024-08-19
+
+### Fixed
+
+- Fix broken notifications for mentions from local moderators ([ClearlyClaire](https://github.com/mastodon/mastodon/pull/31484))
+
+## [4.2.11] - 2024-08-16
+
+### Added
+
+- Add support for incoming `<s>` tag ([mediaformat](https://github.com/mastodon/mastodon/pull/31375))
+
+### Changed
+
+- Change logic of block/mute bypass for mentions from moderators to only apply to visible roles with moderation powers ([ClearlyClaire](https://github.com/mastodon/mastodon/pull/31271))
+
+### Fixed
+
+- Fix incorrect rate limit on PUT requests ([ClearlyClaire](https://github.com/mastodon/mastodon/pull/31356))
+- Fix presence of `ß` in adjacent word preventing mention and hashtag matching ([adamniedzielski](https://github.com/mastodon/mastodon/pull/31122))
+- Fix processing of webfinger responses with multiple `self` links ([adamniedzielski](https://github.com/mastodon/mastodon/pull/31110))
+- Fix duplicate `orderedItems` in user archive's `outbox.json` ([ClearlyClaire](https://github.com/mastodon/mastodon/pull/31099))
+- Fix click event handling when clicking outside of an open dropdown menu ([ClearlyClaire](https://github.com/mastodon/mastodon/pull/31251))
+- Fix status processing failing halfway when a remote post has a malformed `replies` attribute ([ClearlyClaire](https://github.com/mastodon/mastodon/pull/31246))
+- Fix `--verbose` option of `tootctl media remove`, which was previously erroneously removed ([mjankowski](https://github.com/mastodon/mastodon/pull/30536))
+- Fix division by zero on some video/GIF files ([ClearlyClaire](https://github.com/mastodon/mastodon/pull/30600))
+- Fix Web UI trying to save user settings despite being logged out ([ClearlyClaire](https://github.com/mastodon/mastodon/pull/30324))
+- Fix hashtag regexp matching some link anchors ([ClearlyClaire](https://github.com/mastodon/mastodon/pull/30190))
+- Fix local account search on LDAP login being case-sensitive ([raucao](https://github.com/mastodon/mastodon/pull/30113))
+- Fix development environment admin account not being auto-approved ([ClearlyClaire](https://github.com/mastodon/mastodon/pull/29958))
+- Fix report reason selector in moderation interface not unselecting rules when changing category ([ClearlyClaire](https://github.com/mastodon/mastodon/pull/29026))
+- Fix already-invalid reports failing to resolve ([ClearlyClaire](https://github.com/mastodon/mastodon/pull/29027))
+- Fix OCR when using S3/CDN for assets ([vmstan](https://github.com/mastodon/mastodon/pull/28551))
+- Fix error when encountering malformed `Tag` objects from Kbin ([ShadowJonathan](https://github.com/mastodon/mastodon/pull/28235))
+- Fix not all allowed image formats showing in file picker when uploading custom emoji ([june128](https://github.com/mastodon/mastodon/pull/28076))
+- Fix search popout listing unusable search options when logged out ([ClearlyClaire](https://github.com/mastodon/mastodon/pull/27918))
+- Fix processing of featured collections lacking an `items` attribute ([tribela](https://github.com/mastodon/mastodon/pull/27581))
+- Fix `mastodon:stats` decoration of stats rake task ([mjankowski](https://github.com/mastodon/mastodon/pull/31104))
+
 ## [4.2.10] - 2024-07-04
 
 ### Security

Gemfile.lock

@@ -201,7 +201,7 @@ GEM
     climate_control (0.2.0)
     cocoon (1.2.15)
     color_diff (0.1)
-    concurrent-ruby (1.2.3)
+    concurrent-ruby (1.3.4)
     connection_pool (2.4.1)
     cose (1.3.0)
       cbor (~> 0.5.9)
@@ -256,7 +256,7 @@ GEM
       multi_json
     encryptor (3.0.0)
     erubi (1.12.0)
-    et-orbi (1.2.7)
+    et-orbi (1.2.11)
       tzinfo
     excon (0.100.0)
     fabrication (2.30.0)
@@ -306,8 +306,8 @@ GEM
       fog-json (>= 1.0)
       ipaddress (>= 0.8)
     formatador (0.3.0)
-    fugit (1.8.1)
-      et-orbi (~> 1, >= 1.2.7)
+    fugit (1.11.1)
+      et-orbi (~> 1, >= 1.2.11)
       raabro (~> 1.4)
     fuubar (2.5.1)
       rspec-core (~> 3.0)
@@ -469,7 +469,7 @@ GEM
       net-protocol
     net-ssh (7.1.0)
     nio4r (2.7.3)
-    nokogiri (1.16.6)
+    nokogiri (1.16.7)
       mini_portile2 (~> 2.8.2)
       racc (~> 1.4)
     nsa (0.3.0)
@@ -478,16 +478,16 @@ GEM
       sidekiq (>= 3.5)
       statsd-ruby (~> 1.4, >= 1.4.0)
     oj (3.16.1)
-    omniauth (2.1.1)
+    omniauth (2.1.2)
       hashie (>= 3.4.6)
       rack (>= 2.2.3)
       rack-protection
     omniauth-rails_csrf_protection (1.0.1)
       actionpack (>= 4.2)
       omniauth (~> 2.0)
-    omniauth-saml (2.1.0)
-      omniauth (~> 2.0)
-      ruby-saml (~> 1.12)
+    omniauth-saml (2.1.2)
+      omniauth (~> 2.1)
+      ruby-saml (~> 1.17)
     omniauth_openid_connect (0.6.1)
       omniauth (>= 1.9, < 3)
       openid_connect (~> 1.1)
@@ -527,12 +527,12 @@ GEM
       premailer (~> 1.7, >= 1.7.9)
     private_address_check (0.5.0)
     public_suffix (5.0.3)
-    puma (6.4.2)
+    puma (6.4.3)
       nio4r (~> 2.0)
     pundit (2.3.0)
       activesupport (>= 3.0.0)
     raabro (1.4.0)
-    racc (1.7.3)
+    racc (1.8.1)
     rack (2.2.9)
     rack-attack (6.7.0)
       rack (>= 1.0, < 4)
@@ -544,7 +544,7 @@ GEM
       httpclient
       json-jwt (>= 1.11.0)
       rack (>= 2.1.0)
-    rack-protection (3.0.5)
+    rack-protection (3.0.6)
       rack
     rack-proxy (0.7.6)
       rack
@@ -604,8 +604,7 @@ GEM
     responders (3.1.0)
       actionpack (>= 5.2)
       railties (>= 5.2)
-    rexml (3.2.8)
-      strscan (>= 3.0.9)
+    rexml (3.3.7)
     rotp (6.3.0)
     rouge (4.1.2)
     rpam2 (4.0.2)
@@ -667,7 +666,7 @@ GEM
       rubocop-factory_bot (~> 2.22)
     ruby-prof (1.6.3)
     ruby-progressbar (1.13.0)
-    ruby-saml (1.15.0)
+    ruby-saml (1.17.0)
       nokogiri (>= 1.13.10)
       rexml
     ruby2_keywords (0.0.5)
@@ -731,7 +730,6 @@ GEM
       redlock (~> 1.0)
     strong_migrations (0.8.0)
       activerecord (>= 5.2)
-    strscan (3.0.9)
     swd (1.3.0)
       activesupport (>= 3)
       attr_required (>= 0.0.5)

app/controllers/activitypub/replies_controller.rb

@@ -14,7 +14,7 @@ class ActivityPub::RepliesController < ActivityPub::BaseController
   before_action :set_replies
 
   def index
-    expires_in 0, public: public_fetch_mode?
+    expires_in 0, public: @status.distributable? && public_fetch_mode?
     render json: replies_collection_presenter, serializer: ActivityPub::CollectionSerializer, adapter: ActivityPub::Adapter, content_type: 'application/activity+json', skip_activities: true
   end
 

app/javascript/mastodon/actions/settings.js

@@ -20,7 +20,7 @@ export function changeSetting(path, value) {
 }
 
 const debouncedSave = debounce((dispatch, getState) => {
-  if (getState().getIn(['settings', 'saved'])) {
+  if (getState().getIn(['settings', 'saved']) || !getState().getIn(['meta', 'me'])) {
     return;
   }
 

app/javascript/mastodon/components/admin/ReportReasonSelector.jsx

@@ -124,7 +124,7 @@ class ReportReasonSelector extends PureComponent {
 
     api().put(`/api/v1/admin/reports/${id}`, {
       category,
-      rule_ids,
+      rule_ids: category === 'violation' ? rule_ids : [],
     }).catch(err => {
       console.error(err);
     });

app/javascript/mastodon/components/dropdown_menu.jsx

@@ -40,6 +40,7 @@ class DropdownMenu extends PureComponent {
     if (this.node && !this.node.contains(e.target)) {
       this.props.onClose();
       e.stopPropagation();
+      e.preventDefault();
     }
   };
 

app/javascript/mastodon/features/compose/components/search.jsx

@@ -274,6 +274,7 @@ class Search extends PureComponent {
   }
 
   _calculateOptions (value) {
+    const { signedIn } = this.context.identity;
     const trimmedValue = value.trim();
     const options = [];
 
@@ -298,7 +299,7 @@ class Search extends PureComponent {
 
       const couldBeStatusSearch = searchEnabled;
 
-      if (couldBeStatusSearch) {
+      if (couldBeStatusSearch && signedIn) {
         options.push({ key: 'status-search', label: <FormattedMessage id='search.quick_action.status_search' defaultMessage='Posts matching {x}' values={{ x: <mark>{trimmedValue}</mark> }} />, action: this.handleStatusSearch });
       }
 
@@ -375,7 +376,7 @@ class Search extends PureComponent {
 
           <h4><FormattedMessage id='search_popout.options' defaultMessage='Search options' /></h4>
 
-          {searchEnabled ? (
+          {searchEnabled && signedIn ? (
             <div className='search__popout__menu'>
               {this.defaultOptions.map(({ key, label, action }, i) => (
                 <button key={key} onMouseDown={action} className={classNames('search__popout__menu__item', { selected: selectedOption === ((options.length || recent.size) + i) })}>
@@ -385,7 +386,11 @@ class Search extends PureComponent {
             </div>
           ) : (
             <div className='search__popout__menu__message'>
-              <FormattedMessage id='search_popout.full_text_search_disabled_message' defaultMessage='Not available on {domain}.' values={{ domain }} />
+              {searchEnabled ? (
+                <FormattedMessage id='search_popout.full_text_search_logged_out_message' defaultMessage='Only available when logged in.' />
+              ) : (
+                <FormattedMessage id='search_popout.full_text_search_disabled_message' defaultMessage='Not available on {domain}.' values={{ domain }} />
+              )}
             </div>
           )}
         </div>

app/javascript/mastodon/features/ui/components/focal_point_modal.jsx

@@ -221,7 +221,7 @@ class FocalPointModal extends ImmutablePureComponent {
       const worker = createWorker({
         workerPath: tesseractWorkerPath,
         corePath: tesseractCorePath,
-        langPath: `${assetHost}/ocr/lang-data/`,
+        langPath: `${assetHost}/ocr/lang-data`,
         logger: ({ status, progress }) => {
           if (status === 'recognizing text') {
             this.setState({ ocrStatus: 'detecting', progress });

app/javascript/mastodon/locales/en.json

@@ -591,6 +591,7 @@
   "search.quick_action.status_search": "Posts matching {x}",
   "search.search_or_paste": "Search or paste URL",
   "search_popout.full_text_search_disabled_message": "Not available on {domain}.",
+  "search_popout.full_text_search_logged_out_message": "Only available when logged in.",
   "search_popout.language_code": "ISO language code",
   "search_popout.options": "Search options",
   "search_popout.quick_actions": "Quick actions",

app/javascript/mastodon/locales/et.json

@@ -591,6 +591,7 @@
   "search.quick_action.status_search": "Sobivad postitused {x}",
   "search.search_or_paste": "Otsi või kleebi URL",
   "search_popout.full_text_search_disabled_message": "Pole saadaval kohas {domain}.",
+  "search_popout.full_text_search_logged_out_message": "Ainult saadaval sisselogituna.",
   "search_popout.language_code": "Keele ISO-kood",
   "search_popout.options": "Otsimisvalikud",
   "search_popout.quick_actions": "Kiirtegevused",

app/lib/activitypub/activity/create.rb

@@ -332,13 +332,15 @@ def resolve_thread(status)
 
   def fetch_replies(status)
     collection = @object['replies']
-    return if collection.nil?
+    return if collection.blank?
 
     replies = ActivityPub::FetchRepliesService.new.call(status, collection, allow_synchronous_requests: false, request_id: @options[:request_id])
     return unless replies.nil?
 
     uri = value_or_id(collection)
     ActivityPub::FetchRepliesWorker.perform_async(status.id, uri, { 'request_id' => @options[:request_id] }) unless uri.nil?
+  rescue => e
+    Rails.logger.warn "Error fetching replies: #{e}"
   end
 
   def conversation_from_uri(uri)

app/lib/activitypub/adapter.rb

@@ -20,6 +20,6 @@ def serializable_hash(options = nil)
     serialized_hash = serialized_hash.select { |k, _| options[:fields].include?(k) } if options[:fields]
     serialized_hash = self.class.transform_key_casing!(serialized_hash, instance_options)
 
-    { '@context' => serialized_context(named_contexts, context_extensions) }.merge(serialized_hash)
+    { '@context': serialized_context(named_contexts, context_extensions) }.merge(serialized_hash)
   end
 end

app/lib/activitypub/linked_data_signature.rb

@@ -4,6 +4,7 @@ class ActivityPub::LinkedDataSignature
   include JsonLdHelper
 
   CONTEXT = 'https://w3id.org/identity/v1'
+  SIGNATURE_CONTEXT = 'https://w3id.org/security/v1'
 
   def initialize(json)
     @json = json.with_indifferent_access
@@ -46,7 +47,13 @@ def sign!(creator, sign_with: nil)
 
     signature = Base64.strict_encode64(keypair.sign(OpenSSL::Digest.new('SHA256'), to_be_signed))
 
-    @json.merge('signature' => options.merge('signatureValue' => signature))
+    # Mastodon's context is either an array or a single URL
+    context_with_security = Array(@json['@context'])
+    context_with_security << 'https://w3id.org/security/v1'
+    context_with_security.uniq!
+    context_with_security = context_with_security.first if context_with_security.size == 1
+
+    @json.merge('signature' => options.merge('signatureValue' => signature), '@context' => context_with_security)
   end
 
   private

app/lib/admin/system_check/software_version_check.rb

@@ -14,14 +14,16 @@ def pass?
   def message
     if software_updates.any?(&:urgent?)
       Admin::SystemCheck::Message.new(:software_version_critical_check, nil, admin_software_updates_path, true)
-    else
+    elsif software_updates.any?(&:patch_type?)
       Admin::SystemCheck::Message.new(:software_version_patch_check, nil, admin_software_updates_path)
+    else
+      Admin::SystemCheck::Message.new(:software_version_check, nil, admin_software_updates_path)
     end
   end
 
   private
 
   def software_updates
-    @software_updates ||= SoftwareUpdate.pending_to_a.filter { |update| update.urgent? || update.patch_type? }
+    @software_updates ||= SoftwareUpdate.pending_to_a
   end
 end

app/lib/feed_manager.rb

@@ -557,7 +557,7 @@ def build_crutches(receiver_id, statuses)
       arr = crutches[:active_mentions][s.id] || []
       arr.push(s.account_id)
 
-      if s.reblog?
+      if s.reblog? && s.reblog.present?
         arr.push(s.reblog.account_id)
         arr.concat(crutches[:active_mentions][s.reblog_of_id] || [])
       end

app/lib/request.rb

@@ -77,7 +77,7 @@ def initialize(verb, url, **options)
     @url         = Addressable::URI.parse(url).normalize
     @http_client = options.delete(:http_client)
     @allow_local = options.delete(:allow_local)
-    @full_path   = options.delete(:with_query_string)
+    @full_path   = !options.delete(:omit_query_string)
     @options     = options.merge(socket_class: use_proxy? || @allow_local ? ProxySocket : Socket)
     @options     = @options.merge(timeout_class: PerOperationWithDeadline, timeout_options: TIMEOUT)
     @options     = @options.merge(proxy_url) if use_proxy?

app/lib/video_metadata_extractor.rb

@@ -41,8 +41,8 @@ def parse_metadata
         @colorspace  = video_stream[:pix_fmt]
         @width       = video_stream[:width]
         @height      = video_stream[:height]
-        @frame_rate  = video_stream[:avg_frame_rate] == '0/0' ? nil : Rational(video_stream[:avg_frame_rate])
-        @r_frame_rate = video_stream[:r_frame_rate] == '0/0' ? nil : Rational(video_stream[:r_frame_rate])
+        @frame_rate  = parse_framerate(video_stream[:avg_frame_rate])
+        @r_frame_rate = parse_framerate(video_stream[:r_frame_rate])
         # For some video streams the frame_rate reported by `ffprobe` will be 0/0, but for these streams we
         # should use `r_frame_rate` instead. Video screencast generated by Gnome Screencast have this issue.
         @frame_rate ||= @r_frame_rate
@@ -55,4 +55,10 @@ def parse_metadata
 
     @invalid = true if @metadata.key?(:error)
   end
+
+  def parse_framerate(raw)
+    Rational(raw)
+  rescue ZeroDivisionError
+    nil
+  end
 end