From 2ff79f9aae433b2e6142dbbda40d394f71520aed Mon Sep 17 00:00:00 2001 From: rinpatch Date: Sat, 9 May 2020 18:51:20 +0300 Subject: [PATCH 01/11] insert skeletons migration: fix for non-local locals Apparently some instances have local users with local ap_ids that are marked as local: false. Needs more investigation into how that happened. In the meantime, the skeleton migration was patched to just ignore all known ap ids, not just locals. Doesn't seem to slow down the migration too much on patch.cx Closes #1746 --- .../20200428221338_insert_skeletons_for_deleted_users.exs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/priv/repo/migrations/20200428221338_insert_skeletons_for_deleted_users.exs b/priv/repo/migrations/20200428221338_insert_skeletons_for_deleted_users.exs index 11d9a70ba..2adc38186 100644 --- a/priv/repo/migrations/20200428221338_insert_skeletons_for_deleted_users.exs +++ b/priv/repo/migrations/20200428221338_insert_skeletons_for_deleted_users.exs @@ -30,7 +30,7 @@ def change do Repo, "select distinct unnest(nonexistent_locals.recipients) from activities, lateral (select array_agg(recipient) as recipients from unnest(activities.recipients) as recipient where recipient similar to '#{ instance_uri - }/users/[A-Za-z0-9]*' and not(recipient in (select ap_id from users where local = true))) nonexistent_locals;", + }/users/[A-Za-z0-9]*' and not(recipient in (select ap_id from users))) nonexistent_locals;", [], timeout: :infinity ) From a74c31ff639f4e3133ac5442125403454db88cee Mon Sep 17 00:00:00 2001 From: rinpatch Date: Sat, 9 May 2020 14:49:46 +0300 Subject: [PATCH 02/11] include eldap in OTP releases Closes #1313 --- mix.exs | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/mix.exs b/mix.exs index 3f3990ea2..e6b9e1775 100644 --- a/mix.exs +++ b/mix.exs @@ -63,7 +63,15 @@ def copy_nginx_config(%{path: target_path} = release) do def application do [ mod: {Pleroma.Application, []}, - extra_applications: [:logger, :runtime_tools, :comeonin, :quack, :fast_sanitize, :ssl], + extra_applications: [ + :logger, + :runtime_tools, + :comeonin, + :quack, + :fast_sanitize, + :ssl, + :eldap + ], included_applications: [:ex_syslogger] ] end From 38541d99ea9724a0f0d7a0642fe381e2237f18fd Mon Sep 17 00:00:00 2001 From: Alexander Strizhakov Date: Wed, 6 May 2020 16:20:47 +0300 Subject: [PATCH 03/11] apache chain issue fix --- installation/pleroma-apache.conf | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/installation/pleroma-apache.conf b/installation/pleroma-apache.conf index b5640ac3d..0d627f2d7 100644 --- a/installation/pleroma-apache.conf +++ b/installation/pleroma-apache.conf @@ -32,9 +32,8 @@ CustomLog ${APACHE_LOG_DIR}/access.log combined SSLEngine on - SSLCertificateFile /etc/letsencrypt/live/${servername}/cert.pem + SSLCertificateFile /etc/letsencrypt/live/${servername}/fullchain.pem SSLCertificateKeyFile /etc/letsencrypt/live/${servername}/privkey.pem - SSLCertificateChainFile /etc/letsencrypt/live/${servername}/fullchain.pem # Mozilla modern configuration, tweak to your needs SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1 From 797dd3f58161982ac8e017d99de26927cf19cf25 Mon Sep 17 00:00:00 2001 From: "Haelwenn (lanodan) Monnier" Date: Thu, 30 Apr 2020 18:55:25 +0200 Subject: [PATCH 04/11] Increase tests on AP C2S Related: https://git.pleroma.social/pleroma/pleroma/-/issues/954 --- .../activity_pub_controller_test.exs | 68 +++++++++++++++---- 1 file changed, 53 insertions(+), 15 deletions(-) diff --git a/test/web/activity_pub/activity_pub_controller_test.exs b/test/web/activity_pub/activity_pub_controller_test.exs index b2352538a..6ab71e2ea 100644 --- a/test/web/activity_pub/activity_pub_controller_test.exs +++ b/test/web/activity_pub/activity_pub_controller_test.exs @@ -652,9 +652,25 @@ test "it returns an announce activity in a collection", %{conn: conn} do assert response(conn, 200) =~ announce_activity.data["object"] end + end - test "it rejects posts from other users", %{conn: conn} do - data = File.read!("test/fixtures/activitypub-client-post-activity.json") |> Poison.decode!() + describe "POST /users/:nickname/outbox (C2S)" do + setup do + [ + activity: %{ + "@context" => "https://www.w3.org/ns/activitystreams", + "type" => "Create", + "object" => %{"type" => "Note", "content" => "AP C2S test"}, + "to" => "https://www.w3.org/ns/activitystreams#Public", + "cc" => [] + } + ] + end + + test "it rejects posts from other users / unauthenticated users", %{ + conn: conn, + activity: activity + } do user = insert(:user) otheruser = insert(:user) @@ -662,39 +678,61 @@ test "it rejects posts from other users", %{conn: conn} do conn |> assign(:user, otheruser) |> put_req_header("content-type", "application/activity+json") - |> post("/users/#{user.nickname}/outbox", data) + |> post("/users/#{user.nickname}/outbox", activity) assert json_response(conn, 403) end - test "it inserts an incoming create activity into the database", %{conn: conn} do - data = File.read!("test/fixtures/activitypub-client-post-activity.json") |> Poison.decode!() + test "it inserts an incoming create activity into the database", %{ + conn: conn, + activity: activity + } do user = insert(:user) - conn = + result = conn |> assign(:user, user) |> put_req_header("content-type", "application/activity+json") - |> post("/users/#{user.nickname}/outbox", data) - - result = json_response(conn, 201) + |> post("/users/#{user.nickname}/outbox", activity) + |> json_response(201) assert Activity.get_by_ap_id(result["id"]) + assert result["object"] + assert %Object{data: object} = Object.normalize(result["object"]) + assert object["content"] == activity["object"]["content"] end - test "it rejects an incoming activity with bogus type", %{conn: conn} do - data = File.read!("test/fixtures/activitypub-client-post-activity.json") |> Poison.decode!() + test "it inserts an incoming sensitive activity into the database", %{ + conn: conn, + activity: activity + } do user = insert(:user) + object = Map.put(activity["object"], "sensitive", true) + activity = Map.put(activity, "object", object) - data = - data - |> Map.put("type", "BadType") + result = + conn + |> assign(:user, user) + |> put_req_header("content-type", "application/activity+json") + |> post("/users/#{user.nickname}/outbox", activity) + |> json_response(201) + + assert Activity.get_by_ap_id(result["id"]) + assert result["object"] + assert %Object{data: object} = Object.normalize(result["object"]) + assert object["sensitive"] == activity["object"]["sensitive"] + assert object["content"] == activity["object"]["content"] + end + + test "it rejects an incoming activity with bogus type", %{conn: conn, activity: activity} do + user = insert(:user) + activity = Map.put(activity, "type", "BadType") conn = conn |> assign(:user, user) |> put_req_header("content-type", "application/activity+json") - |> post("/users/#{user.nickname}/outbox", data) + |> post("/users/#{user.nickname}/outbox", activity) assert json_response(conn, 400) end From 45df70e691495d383a9ceedd620c03a5d3a875ec Mon Sep 17 00:00:00 2001 From: lain Date: Tue, 5 May 2020 10:12:37 +0200 Subject: [PATCH 05/11] AP C2S: Restrict creation to `Note`s for now. --- .../web/activity_pub/activity_pub_controller.ex | 11 +++++++---- .../activity_pub/activity_pub_controller_test.exs | 15 +++++++++++++++ 2 files changed, 22 insertions(+), 4 deletions(-) diff --git a/lib/pleroma/web/activity_pub/activity_pub_controller.ex b/lib/pleroma/web/activity_pub/activity_pub_controller.ex index 779de0e4d..2bb5bd15b 100644 --- a/lib/pleroma/web/activity_pub/activity_pub_controller.ex +++ b/lib/pleroma/web/activity_pub/activity_pub_controller.ex @@ -370,7 +370,10 @@ def read_inbox(%{assigns: %{user: %{nickname: as_nickname}}} = conn, %{ |> json(err) end - def handle_user_activity(user, %{"type" => "Create"} = params) do + defp handle_user_activity( + %User{} = user, + %{"type" => "Create", "object" => %{"type" => "Note"}} = params + ) do object = params["object"] |> Map.merge(Map.take(params, ["to", "cc"])) @@ -386,7 +389,7 @@ def handle_user_activity(user, %{"type" => "Create"} = params) do }) end - def handle_user_activity(user, %{"type" => "Delete"} = params) do + defp handle_user_activity(user, %{"type" => "Delete"} = params) do with %Object{} = object <- Object.normalize(params["object"]), true <- user.is_moderator || user.ap_id == object.data["actor"], {:ok, delete} <- ActivityPub.delete(object) do @@ -396,7 +399,7 @@ def handle_user_activity(user, %{"type" => "Delete"} = params) do end end - def handle_user_activity(user, %{"type" => "Like"} = params) do + defp handle_user_activity(user, %{"type" => "Like"} = params) do with %Object{} = object <- Object.normalize(params["object"]), {:ok, activity, _object} <- ActivityPub.like(user, object) do {:ok, activity} @@ -405,7 +408,7 @@ def handle_user_activity(user, %{"type" => "Like"} = params) do end end - def handle_user_activity(_, _) do + defp handle_user_activity(_, _) do {:error, dgettext("errors", "Unhandled activity type")} end diff --git a/test/web/activity_pub/activity_pub_controller_test.exs b/test/web/activity_pub/activity_pub_controller_test.exs index 6ab71e2ea..c418232da 100644 --- a/test/web/activity_pub/activity_pub_controller_test.exs +++ b/test/web/activity_pub/activity_pub_controller_test.exs @@ -702,6 +702,21 @@ test "it inserts an incoming create activity into the database", %{ assert object["content"] == activity["object"]["content"] end + test "it rejects anything beyond 'Note' creations", %{conn: conn, activity: activity} do + user = insert(:user) + + activity = + activity + |> put_in(["object", "type"], "Benis") + + _result = + conn + |> assign(:user, user) + |> put_req_header("content-type", "application/activity+json") + |> post("/users/#{user.nickname}/outbox", activity) + |> json_response(400) + end + test "it inserts an incoming sensitive activity into the database", %{ conn: conn, activity: activity From dd7bf4aeced3163532b4d39bf69e32fa3bfd4143 Mon Sep 17 00:00:00 2001 From: Angelina Filippova Date: Mon, 4 May 2020 22:41:14 +0300 Subject: [PATCH 06/11] Fix inconsistency in language for activating settings --- config/description.exs | 1 + 1 file changed, 1 insertion(+) diff --git a/config/description.exs b/config/description.exs index 5a1e9e9af..2623e3683 100644 --- a/config/description.exs +++ b/config/description.exs @@ -2260,6 +2260,7 @@ children: [ %{ key: :active, + label: "Enabled", type: :boolean, description: "Globally enable or disable digest emails" }, From f7c28ae54484e1c5df48c89560e7822d04c7e5eb Mon Sep 17 00:00:00 2001 From: lain Date: Sun, 3 May 2020 13:48:01 +0200 Subject: [PATCH 07/11] Webfinger: Request account info with the acct scheme --- lib/pleroma/web/web_finger/web_finger.ex | 6 ++++-- test/support/http_request_mock.ex | 14 +++++++------- 2 files changed, 11 insertions(+), 9 deletions(-) diff --git a/lib/pleroma/web/web_finger/web_finger.ex b/lib/pleroma/web/web_finger/web_finger.ex index 43a81c75d..8f71820d7 100644 --- a/lib/pleroma/web/web_finger/web_finger.ex +++ b/lib/pleroma/web/web_finger/web_finger.ex @@ -193,13 +193,15 @@ def finger(account) do URI.parse(account).host end + encoded_account = URI.encode("acct:#{account}") + address = case find_lrdd_template(domain) do {:ok, template} -> - String.replace(template, "{uri}", URI.encode(account)) + String.replace(template, "{uri}", encoded_account) _ -> - "https://#{domain}/.well-known/webfinger?resource=acct:#{account}" + "https://#{domain}/.well-known/webfinger?resource=#{encoded_account}" end with response <- diff --git a/test/support/http_request_mock.ex b/test/support/http_request_mock.ex index 79ab129fd..890a43cc1 100644 --- a/test/support/http_request_mock.ex +++ b/test/support/http_request_mock.ex @@ -211,7 +211,7 @@ def get( end def get( - "https://squeet.me/xrd/?uri=lain@squeet.me", + "https://squeet.me/xrd/?uri=acct:lain@squeet.me", _, _, Accept: "application/xrd+xml,application/jrd+json" @@ -850,7 +850,7 @@ def get( end def get( - "https://social.heldscal.la/.well-known/webfinger?resource=shp@social.heldscal.la", + "https://social.heldscal.la/.well-known/webfinger?resource=acct:shp@social.heldscal.la", _, _, Accept: "application/xrd+xml,application/jrd+json" @@ -863,7 +863,7 @@ def get( end def get( - "https://social.heldscal.la/.well-known/webfinger?resource=invalid_content@social.heldscal.la", + "https://social.heldscal.la/.well-known/webfinger?resource=acct:invalid_content@social.heldscal.la", _, _, Accept: "application/xrd+xml,application/jrd+json" @@ -880,7 +880,7 @@ def get("http://framatube.org/.well-known/host-meta", _, _, _) do end def get( - "http://framatube.org/main/xrd?uri=framasoft@framatube.org", + "http://framatube.org/main/xrd?uri=acct:framasoft@framatube.org", _, _, Accept: "application/xrd+xml,application/jrd+json" @@ -939,7 +939,7 @@ def get("http://gerzilla.de/.well-known/host-meta", _, _, _) do end def get( - "https://gerzilla.de/xrd/?uri=kaniini@gerzilla.de", + "https://gerzilla.de/xrd/?uri=acct:kaniini@gerzilla.de", _, _, Accept: "application/xrd+xml,application/jrd+json" @@ -1135,7 +1135,7 @@ def get("http://404.site" <> _, _, _, _) do end def get( - "https://zetsubou.xn--q9jyb4c/.well-known/webfinger?resource=lain@zetsubou.xn--q9jyb4c", + "https://zetsubou.xn--q9jyb4c/.well-known/webfinger?resource=acct:lain@zetsubou.xn--q9jyb4c", _, _, Accept: "application/xrd+xml,application/jrd+json" @@ -1148,7 +1148,7 @@ def get( end def get( - "https://zetsubou.xn--q9jyb4c/.well-known/webfinger?resource=https://zetsubou.xn--q9jyb4c/users/lain", + "https://zetsubou.xn--q9jyb4c/.well-known/webfinger?resource=acct:https://zetsubou.xn--q9jyb4c/users/lain", _, _, Accept: "application/xrd+xml,application/jrd+json" From 3d9a7cf0cc235f4c305c065e264a77d3c9e7d0e3 Mon Sep 17 00:00:00 2001 From: rinpatch Date: Fri, 8 May 2020 23:51:59 +0300 Subject: [PATCH 08/11] healthcheck: report real amount of memory allocated by beam as opposed to memory currently in use --- lib/pleroma/healthcheck.ex | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/pleroma/healthcheck.ex b/lib/pleroma/healthcheck.ex index 8f7f43ec2..92ce83cb7 100644 --- a/lib/pleroma/healthcheck.ex +++ b/lib/pleroma/healthcheck.ex @@ -29,7 +29,7 @@ defmodule Pleroma.Healthcheck do @spec system_info() :: t() def system_info do %Healthcheck{ - memory_used: Float.round(:erlang.memory(:total) / 1024 / 1024, 2) + memory_used: Float.round(:recon_alloc.memory(:allocated) / 1024 / 1024, 2) } |> assign_db_info() |> assign_job_queue_stats() From 69e1f23dd377a8c5b63582ad2df67587c54fc910 Mon Sep 17 00:00:00 2001 From: rinpatch Date: Sun, 10 May 2020 02:36:32 +0300 Subject: [PATCH 09/11] CHANGELOG.md: Add 2.0.4 entry --- CHANGELOG.md | 22 ++++++++++++++++++++++ 1 file changed, 22 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index f3394ecbc..d18822507 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -3,6 +3,28 @@ All notable changes to this project will be documented in this file. The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/). +## [2.0.4] - 2020-05-10 + +### Fixed +- Peertube user lookups not working +- `InsertSkeletonsForDeletedUsers` migration failing on some instances +- Healthcheck reporting the number of memory currently used, rather than allocated in total +- LDAP not being usable in OTP releases +- Default apache configuration having tls chain issues + +### Upgrade notes + +#### Apache only + +1. Remove the following line from your config: +``` + SSLCertificateFile /etc/letsencrypt/live/${servername}/cert.pem +``` + +#### Everyone + +1. Restart Pleroma + ## [2.0.3] - 2020-05-02 ### Security From 9c239558794ab3831fd7553171a80fd67d580746 Mon Sep 17 00:00:00 2001 From: rinpatch Date: Sun, 10 May 2020 02:37:36 +0300 Subject: [PATCH 10/11] mix.exs: bump version to 2.0.4 --- mix.exs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/mix.exs b/mix.exs index e6b9e1775..9f9679f62 100644 --- a/mix.exs +++ b/mix.exs @@ -4,7 +4,7 @@ defmodule Pleroma.Mixfile do def project do [ app: :pleroma, - version: version("2.0.3"), + version: version("2.0.4"), elixir: "~> 1.8", elixirc_paths: elixirc_paths(Mix.env()), compilers: [:phoenix, :gettext] ++ Mix.compilers(), From 489201d5d549a1ad32bf55d7a29d53c8f2316f14 Mon Sep 17 00:00:00 2001 From: rinpatch Date: Sun, 10 May 2020 19:54:37 +0300 Subject: [PATCH 11/11] CHANGELOG.md: mention AP C2S change --- CHANGELOG.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index d18822507..f01dc3bd2 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -5,6 +5,9 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/). ## [2.0.4] - 2020-05-10 +### Security +- AP C2S: Fix a potential DoS by creating nonsensical objects that break timelines + ### Fixed - Peertube user lookups not working - `InsertSkeletonsForDeletedUsers` migration failing on some instances