Merge remote-tracking branch 'mastodon/main' into hota/master

Signed-off-by: lindwurm <lindwurm.q@gmail.com>

.eslintrc.js

@@ -165,7 +165,7 @@ module.exports = defineConfig({
  // },
  // ],
  'jsx-a11y/no-noninteractive-tabindex': 'off',
- 'jsx-a11y/no-onchange': 'warn',
+ 'jsx-a11y/no-onchange': 'off',
  // recommended is full 'error'
  'jsx-a11y/no-static-element-interactions': [
  'warn',

.github/actions/setup-javascript/action.yml

@@ -23,7 +23,7 @@ runs:
  shell: bash
  run: echo "dir=$(yarn config get cacheFolder)" >> $GITHUB_OUTPUT
 
- - uses: actions/cache@v3
+ - uses: actions/cache@v4
  id: yarn-cache # use this to check for `cache-hit` (`steps.yarn-cache.outputs.cache-hit != 'true'`)
  with:
  path: ${{ steps.yarn-cache-dir-path.outputs.dir }}

.github/workflows/build-security.yml

@@ -0,0 +1,64 @@
+name: Build security nightly container image
+on:
+ workflow_dispatch:
+
+permissions:
+ contents: read
+ packages: write
+
+jobs:
+ compute-suffix:
+ runs-on: ubuntu-latest
+ if: github.repository == 'mastodon/mastodon'
+ steps:
+ - id: version_vars
+ env:
+ TZ: Etc/UTC
+ run: |
+ echo mastodon_version_prerelease=nightly.$(date --date='next day' +'%Y-%m-%d')-security>> $GITHUB_OUTPUT
+ outputs:
+ prerelease: ${{ steps.version_vars.outputs.mastodon_version_prerelease }}
+
+ build-image:
+ needs: compute-suffix
+ uses: ./.github/workflows/build-container-image.yml
+ with:
+ file_to_build: Dockerfile
+ platforms: linux/amd64,linux/arm64
+ use_native_arm64_builder: true
+ cache: false
+ push_to_images: |
+ tootsuite/mastodon
+ ghcr.io/mastodon/mastodon
+ version_prerelease: ${{ needs.compute-suffix.outputs.prerelease }}
+ labels: |
+ org.opencontainers.image.description=Nightly build image used for testing purposes
+ flavor: |
+ latest=auto
+ tags: |
+ type=raw,value=edge
+ type=raw,value=nightly
+ type=schedule,pattern=${{ needs.compute-suffix.outputs.prerelease }}
+ secrets: inherit
+
+ build-image-streaming:
+ needs: compute-suffix
+ uses: ./.github/workflows/build-container-image.yml
+ with:
+ file_to_build: streaming/Dockerfile
+ platforms: linux/amd64,linux/arm64
+ use_native_arm64_builder: true
+ cache: false
+ push_to_images: |
+ tootsuite/mastodon-streaming
+ ghcr.io/mastodon/mastodon-streaming
+ version_prerelease: ${{ needs.compute-suffix.outputs.prerelease }}
+ labels: |
+ org.opencontainers.image.description=Nightly build image used for testing purposes
+ flavor: |
+ latest=auto
+ tags: |
+ type=raw,value=edge
+ type=raw,value=nightly
+ type=schedule,pattern=${{ needs.compute-suffix.outputs.prerelease }}
+ secrets: inherit

.rubocop.yml

@@ -96,12 +96,11 @@ Rails/FilePath:
 Rails/HttpStatus:
  EnforcedStyle: numeric
 
-# Reason: Allowed in `tootctl` CLI code and in boot ENV checker
+# Reason: Allowed in boot ENV checker
 # https://docs.rubocop.org/rubocop-rails/cops_rails.html#railsexit
 Rails/Exit:
  Exclude:
  - 'config/boot.rb'
- - 'lib/mastodon/cli/*.rb'
 
 # Reason: Conflicts with `Lint/UselessMethodDefinition` for inherited controller actions
 # https://docs.rubocop.org/rubocop-rails/cops_rails.html#railslexicallyscopedactionfilter
@@ -175,6 +174,15 @@ Style/ClassAndModuleChildren:
 Style/Documentation:
  Enabled: false
 
+# Reason: Route redirects are not token-formatted and must be skipped
+# https://docs.rubocop.org/rubocop/cops_style.html#styleformatstringtoken
+Style/FormatStringToken:
+ inherit_mode:
+ merge:
+ - AllowedMethods # The rubocop-rails config adds `redirect`
+ AllowedMethods:
+ - redirect_with_vary
+
 # Reason: Enforce modern Ruby style
 # https://docs.rubocop.org/rubocop/cops_style.html#stylehashsyntax
 Style/HashSyntax:

.rubocop_todo.yml

@@ -1,6 +1,6 @@
 # This configuration was generated by
 # `rubocop --auto-gen-config --auto-gen-only-exclude --no-exclude-limit --no-offense-counts --no-auto-gen-timestamp`
-# using RuboCop version 1.59.0.
+# using RuboCop version 1.60.2.
 # The point is for the user to remove these configuration records
 # one by one as the offenses are removed from the code base.
 # Note that changes in the inspected code, or installation of new
@@ -70,21 +70,6 @@ Rails/UniqueValidationWithoutIndex:
  - 'app/models/identity.rb'
  - 'app/models/webauthn_credential.rb'
 
-# This cop supports unsafe autocorrection (--autocorrect-all).
-# Configuration parameters: EnforcedStyle.
-# SupportedStyles: exists, where
-Rails/WhereExists:
- Exclude:
- - 'app/controllers/activitypub/inboxes_controller.rb'
- - 'app/controllers/admin/email_domain_blocks_controller.rb'
- - 'app/policies/status_policy.rb'
- - 'app/serializers/rest/announcement_serializer.rb'
- - 'app/workers/move_worker.rb'
- - 'spec/models/account_spec.rb'
- - 'spec/services/activitypub/process_collection_service_spec.rb'
- - 'spec/services/purge_domain_service_spec.rb'
- - 'spec/services/unallow_domain_service_spec.rb'
-
 # This cop supports unsafe autocorrection (--autocorrect-all).
 # Configuration parameters: AllowedMethods, AllowedPatterns.
 # AllowedMethods: ==, equal?, eql?
@@ -136,10 +121,6 @@ Style/GlobalStdStream:
 # Configuration parameters: MinBodyLength, AllowConsecutiveConditionals.
 Style/GuardClause:
  Exclude:
- - 'app/controllers/admin/confirmations_controller.rb'
- - 'app/controllers/auth/confirmations_controller.rb'
- - 'app/controllers/auth/passwords_controller.rb'
- - 'app/controllers/settings/two_factor_authentication/webauthn_credentials_controller.rb'
  - 'app/lib/activitypub/activity/block.rb'
  - 'app/lib/request.rb'
  - 'app/lib/request_pool.rb'
@@ -294,13 +275,6 @@ Style/StringLiterals:
  - 'config/initializers/webauthn.rb'
  - 'config/routes.rb'
 
-# This cop supports safe autocorrection (--autocorrect).
-# Configuration parameters: EnforcedStyle, AllowSafeAssignment.
-# SupportedStyles: require_parentheses, require_no_parentheses, require_parentheses_when_complex
-Style/TernaryParentheses:
- Exclude:
- - 'config/environments/development.rb'
-
 # This cop supports safe autocorrection (--autocorrect).
 # Configuration parameters: EnforcedStyleForMultiline.
 # SupportedStylesForMultiline: comma, consistent_comma, no_comma

Gemfile

@@ -123,13 +123,7 @@ group :test do
  gem 'database_cleaner-active_record'
 
  # Used to mock environment variables
- gem 'climate_control', '~> 0.2'
-
- # Generating fake data for specs
- gem 'faker', '~> 3.2'
-
- # Generate test objects for specs
- gem 'fabrication', '~> 2.30'
+ gem 'climate_control'
 
  # Add back helpers functions removed in Rails 5.1
  gem 'rails-controller-testing', '~> 1.0'
@@ -182,6 +176,12 @@ group :development, :test do
  # Interactive Debugging tools
  gem 'debug', '~> 1.8'
 
+ # Generate fake data values
+ gem 'faker', '~> 3.2'
+
+ # Generate factory objects
+ gem 'fabrication', '~> 2.30'
+
  # Profiling tools
  gem 'memory_profiler', require: false
  gem 'ruby-prof', require: false

Gemfile.lock

@@ -177,11 +177,11 @@ GEM
  bundler-audit (0.9.1)
  bundler (>= 1.2.0, < 3)
  thor (~> 1.0)
- capybara (3.39.2)
+ capybara (3.40.0)
  addressable
  matrix
  mini_mime (>= 0.1.3)
- nokogiri (~> 1.8)
+ nokogiri (~> 1.11)
  rack (>= 1.6.0)
  rack-test (>= 0.6.3)
  regexp_parser (>= 1.5, < 3.0)
@@ -190,12 +190,12 @@ GEM
  activesupport
  cbor (0.5.9.6)
  charlock_holmes (0.7.7)
- chewy (7.5.0)
+ chewy (7.5.1)
  activesupport (>= 5.2)
  elasticsearch (>= 7.12.0, < 7.14.0)
  elasticsearch-dsl
  chunky_png (1.4.0)
- climate_control (0.2.0)
+ climate_control (1.2.0)
  cocoon (1.2.15)
  color_diff (0.1)
  concurrent-ruby (1.2.3)
@@ -370,7 +370,7 @@ GEM
  rainbow (>= 2.2.2, < 4.0)
  terminal-table (>= 1.5.1)
  idn-ruby (0.1.5)
- io-console (0.7.1)
+ io-console (0.7.2)
  irb (1.11.1)
  rdoc
  reline (>= 0.4.2)
@@ -455,7 +455,7 @@ GEM
  mime-types-data (3.2023.1205)
  mini_mime (1.1.5)
  mini_portile2 (2.8.5)
- minitest (5.21.1)
+ minitest (5.21.2)
  msgpack (1.7.2)
  multi_json (1.15.0)
  multipart-post (2.3.0)
@@ -646,7 +646,7 @@ GEM
  rspec-mocks (3.12.6)
  diff-lcs (>= 1.2.0, < 2.0)
  rspec-support (~> 3.12.0)
- rspec-rails (6.1.0)
+ rspec-rails (6.1.1)
  actionpack (>= 6.1)
  activesupport (>= 6.1)
  railties (>= 6.1)
@@ -752,8 +752,8 @@ GEM
  temple (0.10.3)
  terminal-table (3.0.2)
  unicode-display_width (>= 1.1.1, < 3)
- terrapin (0.6.0)
- climate_control (>= 0.0.3, < 1.0)
+ terrapin (1.0.1)
+ climate_control
  test-prof (1.3.1)
  thor (1.3.0)
  tilt (2.3.0)
@@ -842,7 +842,7 @@ DEPENDENCIES
  capybara (~> 3.39)
  charlock_holmes (~> 0.7.7)
  chewy (~> 7.3)
- climate_control (~> 0.2)
+ climate_control
  cocoon (~> 1.2)
  color_diff (~> 0.1)
  concurrent-ruby

app/controllers/activitypub/inboxes_controller.rb

@@ -24,7 +24,7 @@ def skip_unknown_actor_activity
 
  def unknown_affected_account?
  json = Oj.load(body, mode: :strict)
- json.is_a?(Hash) && %w(Delete Update).include?(json['type']) && json['actor'].present? && json['actor'] == value_or_id(json['object']) && !Account.where(uri: json['actor']).exists?
+ json.is_a?(Hash) && %w(Delete Update).include?(json['type']) && json['actor'].present? && json['actor'] == value_or_id(json['object']) && !Account.exists?(uri: json['actor'])
  rescue Oj::ParseError
  false
  end

app/controllers/admin/confirmations_controller.rb

@@ -3,7 +3,7 @@
 module Admin
  class ConfirmationsController < BaseController
  before_action :set_user
- before_action :check_confirmation, only: [:resend]
+ before_action :redirect_confirmed_user, only: [:resend], if: :user_confirmed?
 
  def create
  authorize @user, :confirm?
@@ -25,11 +25,13 @@ def resend
 
  private
 
- def check_confirmation
- if @user.confirmed?
- flash[:error] = I18n.t('admin.accounts.resend_confirmation.already_confirmed')
- redirect_to admin_accounts_path
- end
+ def redirect_confirmed_user
+ flash[:error] = I18n.t('admin.accounts.resend_confirmation.already_confirmed')
+ redirect_to admin_accounts_path
+ end
+
+ def user_confirmed?
+ @user.confirmed?
  end
  end
 end

app/controllers/admin/email_domain_blocks_controller.rb

@@ -38,7 +38,7 @@ def create
  log_action :create, @email_domain_block
 
  (@email_domain_block.other_domains || []).uniq.each do |domain|
- next if EmailDomainBlock.where(domain: domain).exists?
+ next if EmailDomainBlock.exists?(domain: domain)
 
  other_email_domain_block = EmailDomainBlock.create!(domain: domain, allow_with_approval: @email_domain_block.allow_with_approval, parent: @email_domain_block)
  log_action :create, other_email_domain_block

app/controllers/admin/export_domain_blocks_controller.rb

@@ -49,7 +49,7 @@ def import
  next
  end
 
- @warning_domains = Instance.where(domain: @domain_blocks.map(&:domain)).where('EXISTS (SELECT 1 FROM follows JOIN accounts ON follows.account_id = accounts.id OR follows.target_account_id = accounts.id WHERE accounts.domain = instances.domain)').pluck(:domain)
+ @warning_domains = instances_from_imported_blocks.pluck(:domain)
  rescue ActionController::ParameterMissing
  flash.now[:alert] = I18n.t('admin.export_domain_blocks.no_file')
  set_dummy_import!
@@ -58,6 +58,10 @@ def import
 
  private
 
+ def instances_from_imported_blocks
+ Instance.with_domain_follows(@domain_blocks.map(&:domain))
+ end
+
  def export_filename
  'domain_blocks.csv'
  end

app/controllers/auth/confirmations_controller.rb

@@ -7,7 +7,7 @@ class Auth::ConfirmationsController < Devise::ConfirmationsController
 
  before_action :set_body_classes
  before_action :set_confirmation_user!, only: [:show, :confirm_captcha]
- before_action :require_unconfirmed!
+ before_action :redirect_confirmed_user, if: :signed_in_confirmed_user?
 
  before_action :extend_csp_for_captcha!, only: [:show, :confirm_captcha]
  before_action :require_captcha_if_needed!, only: [:show]
@@ -65,10 +65,12 @@ def captcha_user_bypass?
  @confirmation_user.nil? || @confirmation_user.confirmed?
  end
 
- def require_unconfirmed!
- if user_signed_in? && current_user.confirmed? && current_user.unconfirmed_email.blank?
- redirect_to(current_user.approved? ? root_path : edit_user_registration_path)
- end
+ def redirect_confirmed_user
+ redirect_to(current_user.approved? ? root_path : edit_user_registration_path)
+ end
+
+ def signed_in_confirmed_user?
+ user_signed_in? && current_user.confirmed? && current_user.unconfirmed_email.blank?
  end
 
  def set_body_classes

app/controllers/auth/passwords_controller.rb

@@ -2,7 +2,7 @@
 
 class Auth::PasswordsController < Devise::PasswordsController
  skip_before_action :check_self_destruct!
- before_action :check_validity_of_reset_password_token, only: :edit
+ before_action :redirect_invalid_reset_token, only: :edit, unless: :reset_password_token_is_valid?
  before_action :set_body_classes
 
  layout 'auth'
@@ -19,11 +19,9 @@ def update
 
  private
 
- def check_validity_of_reset_password_token
- unless reset_password_token_is_valid?
- flash[:error] = I18n.t('auth.invalid_reset_password_token')
- redirect_to new_password_path(resource_name)
- end
+ def redirect_invalid_reset_token
+ flash[:error] = I18n.t('auth.invalid_reset_password_token')
+ redirect_to new_password_path(resource_name)
  end
 
  def set_body_classes

app/controllers/concerns/signature_verification.rb

@@ -266,7 +266,7 @@ def actor_from_key_id(key_id)
  stoplight_wrap_request { ResolveAccountService.new.call(key_id.delete_prefix('acct:'), suppress_errors: false) }
  elsif !ActivityPub::TagManager.instance.local_uri?(key_id)
  account = ActivityPub::TagManager.instance.uri_to_actor(key_id)
- account ||= stoplight_wrap_request { ActivityPub::FetchRemoteKeyService.new.call(key_id, id: false, suppress_errors: false) }
+ account ||= stoplight_wrap_request { ActivityPub::FetchRemoteKeyService.new.call(key_id, suppress_errors: false) }
  account
  end
  rescue Mastodon::PrivateNetworkAddressError => e