Merge a6c8f33fc5 into fbe9728f36

* Check scheme in account and post links

* Harden media attachments

* Client-side mitigation

* Client-side mitigation for media attachments

CHANGELOG.md

@@ -2,9 +2,34 @@
 
 All notable changes to this project will be documented in this file.
 
+## [4.3.8] - 2025-05-06
+
+### Security
+
+- Update dependencies
+- Check scheme on account, profile, and media URLs ([GHSA-x2rc-v5wx-g3m5](https://github.com/mastodon/mastodon/security/advisories/GHSA-x2rc-v5wx-g3m5))
+
+### Added
+
+- Add warning for REDIS_NAMESPACE deprecation at startup (#34581 by @ClearlyClaire)
+- Add built-in context for interaction policies (#34574 by @ClearlyClaire)
+
+### Changed
+
+- Change activity distribution error handling to skip retrying for deleted accounts (#33617 by @ClearlyClaire)
+
+### Removed
+
+- Remove double-query for signed query strings (#34610 by @ClearlyClaire)
+
+### Fixed
+
+- Fix incorrect redirect in response to unauthenticated API requests in limited federation mode (#34549 by @ClearlyClaire)
+- Fix sign-up e-mail confirmation page reloading on error or redirect (#34548 by @ClearlyClaire)
+
 ## [4.3.7] - 2025-04-02
 
-### Add
+### Added
 
 - Add delay to profile updates to debounce them (#34137 by @ClearlyClaire)
 - Add support for paginating partial collections in `SynchronizeFollowersService` (#34272 and #34277 by @ClearlyClaire)

app/controllers/concerns/web_app_controller_concern.rb

@@ -8,6 +8,7 @@ module WebAppControllerConcern
 
     before_action :redirect_unauthenticated_to_permalinks!
     before_action :set_referer_header
+    before_action :redirect_to_tos_interstitial!
 
     content_security_policy do |p|
       policy = ContentSecurityPolicy.new
@@ -45,6 +46,12 @@ module WebAppControllerConcern
 
   protected
 
+  def redirect_to_tos_interstitial!
+    return unless current_user&.require_tos_interstitial?
+
+    redirect_to(terms_of_service_interstitial_url)
+  end
+
   def set_referer_header
     response.set_header('Referrer-Policy', Setting.allow_referrer_origin ? 'strict-origin-when-cross-origin' : 'same-origin')
   end

app/controllers/terms_of_service_controller.rb

@@ -4,8 +4,19 @@ class TermsOfServiceController < ApplicationController
   include WebAppControllerConcern
 
   skip_before_action :require_functional!
+  skip_before_action :redirect_to_tos_interstitial!
+
+  before_action :clear_redirect_interstitial!
 
   def show
     expires_in(15.seconds, public: true, stale_while_revalidate: 30.seconds, stale_if_error: 1.day) unless user_signed_in?
   end
+
+  private
+
+  def clear_redirect_interstitial!
+    return unless user_signed_in?
+
+    current_user.update(require_tos_interstitial: false)
+  end
 end

app/controllers/terms_of_service_interstitial_controller.rb

@@ -0,0 +1,11 @@
+# frozen_string_literal: true
+
+class TermsOfServiceInterstitialController < ApplicationController
+  vary_by 'Accept-Language'
+
+  def show
+    @terms_of_service = TermsOfService.published.first
+
+    render 'terms_of_service_interstitial/show', layout: 'auth'
+  end
+end

app/javascript/mastodon/actions/importer/normalizer.js

@@ -77,6 +77,17 @@ export function normalizeStatus(status, normalOldStatus) {
     normalStatus.contentHtml  = emojify(normalStatus.content, emojiMap);
     normalStatus.spoilerHtml  = emojify(escapeTextContentForBrowser(spoilerText), emojiMap);
     normalStatus.hidden       = expandSpoilers ? false : spoilerText.length > 0 || normalStatus.sensitive;
+
+    if (normalStatus.url && !(normalStatus.url.startsWith('http://') || normalStatus.url.startsWith('https://'))) {
+      normalStatus.url = null;
+    }
+
+    normalStatus.url ||= normalStatus.uri;
+
+    normalStatus.media_attachments.forEach(item => {
+      if (item.remote_url && !(item.remote_url.startsWith('http://') || item.remote_url.startsWith('https://')))
+        item.remote_url = null;
+    });
   }
 
   if (normalOldStatus) {

app/javascript/mastodon/models/account.ts

@@ -144,5 +144,10 @@ export function createAccountFromServerJSON(serverJSON: ApiAccountJSON) {
     ),
     note_emojified: emojify(accountJSON.note, emojiMap),
     note_plain: unescapeHTML(accountJSON.note),
+    url:
+      accountJSON.url.startsWith('http://') ||
+      accountJSON.url.startsWith('https://')
+        ? accountJSON.url
+        : accountJSON.uri,
   });
 }

app/lib/activitypub/parser/media_attachment_parser.rb

@@ -15,13 +15,15 @@ class ActivityPub::Parser::MediaAttachmentParser
   end
 
   def remote_url
-    Addressable::URI.parse(@json['url'])&.normalize&.to_s
+    url = Addressable::URI.parse(@json['url'])&.normalize&.to_s
+    url unless unsupported_uri_scheme?(url)
   rescue Addressable::URI::InvalidURIError
     nil
   end
 
   def thumbnail_remote_url
-    Addressable::URI.parse(@json['icon'].is_a?(Hash) ? @json['icon']['url'] : @json['icon'])&.normalize&.to_s
+    url = Addressable::URI.parse(@json['icon'].is_a?(Hash) ? @json['icon']['url'] : @json['icon'])&.normalize&.to_s
+    url unless unsupported_uri_scheme?(url)
   rescue Addressable::URI::InvalidURIError
     nil
   end

app/lib/activitypub/parser/status_parser.rb

@@ -29,7 +29,10 @@ class ActivityPub::Parser::StatusParser
   end
 
   def url
-    url_to_href(@object['url'], 'text/html') if @object['url'].present?
+    return if @object['url'].blank?
+
+    url = url_to_href(@object['url'], 'text/html')
+    url unless unsupported_uri_scheme?(url)
   end
 
   def text

app/lib/activitypub/tag_manager.rb

@@ -4,6 +4,7 @@ require 'singleton'
 
 class ActivityPub::TagManager
   include Singleton
+  include JsonLdHelper
   include RoutingHelper
 
   CONTEXT = 'https://www.w3.org/ns/activitystreams'
@@ -17,7 +18,7 @@ class ActivityPub::TagManager
   end
 
   def url_for(target)
-    return target.url if target.respond_to?(:local?) && !target.local?
+    return unsupported_uri_scheme?(target.url) ? nil : target.url if target.respond_to?(:local?) && !target.local?
 
     return unless target.respond_to?(:object_type)
 

app/models/terms_of_service.rb

@@ -23,6 +23,8 @@ class TermsOfService < ApplicationRecord
 
   validate :effective_date_cannot_be_in_the_past
 
+  NOTIFICATION_ACTIVITY_CUTOFF = 1.year.freeze
+
   def published?
     published_at.present?
   end
@@ -39,8 +41,20 @@ class TermsOfService < ApplicationRecord
     notification_sent_at.present?
   end
 
+  def base_user_scope
+    User.confirmed.where(created_at: ..published_at).joins(:account)
+  end
+
+  def email_notification_cutoff
+    published_at - NOTIFICATION_ACTIVITY_CUTOFF
+  end
+
+  def scope_for_interstitial
+    base_user_scope.merge(Account.suspended).or(base_user_scope.where(current_sign_in_at: [nil, ...email_notification_cutoff]))
+  end
+
   def scope_for_notification
-    User.confirmed.joins(:account).merge(Account.without_suspended).where(created_at: (..published_at))
+    base_user_scope.merge(Account.without_suspended).where(current_sign_in_at: email_notification_cutoff...)
   end
 
   private

app/models/user.rb

@@ -25,6 +25,7 @@
 #  otp_backup_codes          :string           is an Array
 #  otp_required_for_login    :boolean          default(FALSE), not null
 #  otp_secret                :string
+#  require_tos_interstitial  :boolean          default(FALSE), not null
 #  reset_password_sent_at    :datetime
 #  reset_password_token      :string
 #  settings                  :text

app/views/terms_of_service_interstitial/show.html.haml

@@ -0,0 +1,15 @@
+- content_for :header_tags do
+  %meta{ name: 'robots', content: 'noindex, noarchive' }/
+
+- content_for :body_classes, 'app-body'
+
+.simple_form
+  %h1.title= t('terms_of_service_interstitial.title', domain: site_hostname)
+
+  - effective_date = @terms_of_service.effective_date || Time.zone.today
+  %p.lead= effective_date.past? ? t('terms_of_service_interstitial.past_preamble_html') : t('terms_of_service_interstitial.future_preamble_html', date: l(effective_date))
+
+  %p.lead= t('user_mailer.terms_of_service_changed.agreement', domain: site_hostname)
+
+  .stacked-actions
+    = link_to t('terms_of_service_interstitial.review_link'), terms_of_service_path, class: 'button'

app/workers/admin/distribute_terms_of_service_notification_worker.rb

@@ -6,6 +6,8 @@ class Admin::DistributeTermsOfServiceNotificationWorker
   def perform(terms_of_service_id)
     terms_of_service = TermsOfService.find(terms_of_service_id)
 
+    terms_of_service.scope_for_interstitial.in_batches.update_all(require_tos_interstitial: true)
+
     terms_of_service.scope_for_notification.find_each do |user|
       UserMailer.terms_of_service_changed(user, terms_of_service).deliver_later!
     end

config/locales/en.yml

@@ -1912,6 +1912,11 @@ en:
     does_not_match_previous_name: does not match the previous name
   terms_of_service:
     title: Terms of Service
+  terms_of_service_interstitial:
+    future_preamble_html: We're making some changes to our terms of service, which will be effective on <strong>%{date}</strong>. We encourage you to review the updated terms.
+    past_preamble_html: We have changed our terms of service since your last visit. We encourage you to review the updated terms.
+    review_link: Review terms of service
+    title: The terms of service of %{domain} are changing
   themes:
     contrast: Mastodon (High contrast)
     default: Mastodon (Dark)

config/routes.rb

@@ -208,6 +208,7 @@ Rails.application.routes.draw do
   get '/privacy-policy',   to: 'privacy#show', as: :privacy_policy
   get '/terms-of-service', to: 'terms_of_service#show', as: :terms_of_service
   get '/terms-of-service/:date', to: 'terms_of_service#show', as: :terms_of_service_version
+  get '/terms-of-service-update', to: 'terms_of_service_interstitial#show', as: :terms_of_service_interstitial
   get '/terms', to: redirect('/terms-of-service')
 
   match '/', via: [:post, :put, :patch, :delete], to: 'application#raise_not_found', format: false

db/migrate/20250428104538_add_require_tos_interstitial_to_users.rb

@@ -0,0 +1,7 @@
+# frozen_string_literal: true
+
+class AddRequireTosInterstitialToUsers < ActiveRecord::Migration[8.0]
+  def change
+    add_column :users, :require_tos_interstitial, :boolean, null: false, default: false
+  end
+end

db/schema.rb

@@ -10,7 +10,7 @@
 #
 # It's strongly recommended that you check this file into your version control system.
 
-ActiveRecord::Schema[8.0].define(version: 2025_04_28_095029) do
+ActiveRecord::Schema[8.0].define(version: 2025_04_28_104538) do
   # These are extensions that must be enabled in order to support this database
   enable_extension "pg_catalog.plpgsql"
 
@@ -1222,6 +1222,7 @@ ActiveRecord::Schema[8.0].define(version: 2025_04_28_095029) do
     t.string "time_zone"
     t.string "otp_secret"
     t.datetime "age_verified_at"
+    t.boolean "require_tos_interstitial", default: false, null: false
     t.index ["account_id"], name: "index_users_on_account_id"
     t.index ["confirmation_token"], name: "index_users_on_confirmation_token", unique: true
     t.index ["created_by_application_id"], name: "index_users_on_created_by_application_id", where: "(created_by_application_id IS NOT NULL)"

docker-compose.yml

@@ -59,7 +59,7 @@ services:
   web:
     # You can uncomment the following line if you want to not use the prebuilt image, for example if you have local code changes
     # build: .
-    image: ghcr.io/mastodon/mastodon:v4.3.7
+    image: ghcr.io/mastodon/mastodon:v4.3.8
     restart: always
     env_file: .env.production
     command: bundle exec puma -C config/puma.rb
@@ -83,7 +83,7 @@ services:
     # build:
     #   dockerfile: ./streaming/Dockerfile
     #   context: .
-    image: ghcr.io/mastodon/mastodon-streaming:v4.3.7
+    image: ghcr.io/mastodon/mastodon-streaming:v4.3.8
     restart: always
     env_file: .env.production
     command: node ./streaming/index.js
@@ -102,7 +102,7 @@ services:
   sidekiq:
     # You can uncomment the following line if you want to not use the prebuilt image, for example if you have local code changes
     # build: .
-    image: ghcr.io/mastodon/mastodon:v4.3.7
+    image: ghcr.io/mastodon/mastodon:v4.3.8
     restart: always
     env_file: .env.production
     command: bundle exec sidekiq

lib/mastodon/version.rb

@@ -17,7 +17,7 @@ module Mastodon
     end
 
     def default_prerelease
-      'alpha.4'
+      'alpha.5'
     end
 
     def prerelease

spec/workers/admin/distribute_terms_of_service_notification_worker_spec.rb

@@ -14,9 +14,10 @@ RSpec.describe Admin::DistributeTermsOfServiceNotificationWorker do
 
     context 'with valid terms' do
       let(:terms) { Fabricate(:terms_of_service) }
-      let!(:user) { Fabricate :user, confirmed_at: 3.days.ago }
+      let!(:user) { Fabricate(:user, confirmed_at: 3.days.ago) }
+      let!(:old_user) { Fabricate(:user, confirmed_at: 2.years.ago, current_sign_in_at: 2.years.ago) }
 
-      it 'sends the terms update via email', :inline_jobs do
+      it 'sends the terms update via email and change the old user to require an interstitial', :inline_jobs do
         emails = capture_emails { worker.perform(terms.id) }
 
         expect(emails.size)
@@ -26,6 +27,9 @@ RSpec.describe Admin::DistributeTermsOfServiceNotificationWorker do
             to: [user.email],
             subject: I18n.t('user_mailer.terms_of_service_changed.subject')
           )
+
+        expect(user.reload.require_tos_interstitial?).to be false
+        expect(old_user.reload.require_tos_interstitial?).to be true
       end
     end
   end