Merge e6f75114ef into fbe9728f36

* Check scheme in account and post links

* Harden media attachments

* Client-side mitigation

* Client-side mitigation for media attachments

CHANGELOG.md

@@ -2,9 +2,34 @@
 
 All notable changes to this project will be documented in this file.
 
+## [4.3.8] - 2025-05-06
+
+### Security
+
+- Update dependencies
+- Check scheme on account, profile, and media URLs ([GHSA-x2rc-v5wx-g3m5](https://github.com/mastodon/mastodon/security/advisories/GHSA-x2rc-v5wx-g3m5))
+
+### Added
+
+- Add warning for REDIS_NAMESPACE deprecation at startup (#34581 by @ClearlyClaire)
+- Add built-in context for interaction policies (#34574 by @ClearlyClaire)
+
+### Changed
+
+- Change activity distribution error handling to skip retrying for deleted accounts (#33617 by @ClearlyClaire)
+
+### Removed
+
+- Remove double-query for signed query strings (#34610 by @ClearlyClaire)
+
+### Fixed
+
+- Fix incorrect redirect in response to unauthenticated API requests in limited federation mode (#34549 by @ClearlyClaire)
+- Fix sign-up e-mail confirmation page reloading on error or redirect (#34548 by @ClearlyClaire)
+
 ## [4.3.7] - 2025-04-02
 
-### Add
+### Added
 
 - Add delay to profile updates to debounce them (#34137 by @ClearlyClaire)
 - Add support for paginating partial collections in `SynchronizeFollowersService` (#34272 and #34277 by @ClearlyClaire)

app/controllers/admin/account_actions_controller.rb

@@ -7,7 +7,7 @@ module Admin
     def new
       authorize @account, :show?
 
-      @account_action  = Admin::AccountAction.new(type: params[:type], report_id: params[:report_id], send_email_notification: true, include_statuses: true)
+      @account_action  = Admin::AccountAction.new(type: params[:type], report_id: params[:report_id], send_email_notification: true, send_notification: true, include_statuses: true)
       @warning_presets = AccountWarningPreset.all
     end
 
@@ -35,7 +35,7 @@ module Admin
 
     def resource_params
       params
-        .expect(admin_account_action: [:type, :report_id, :warning_preset_id, :text, :send_email_notification, :include_statuses])
+        .expect(admin_account_action: [:type, :report_id, :warning_preset_id, :text, :send_email_notification, :send_notification, :include_statuses])
     end
   end
 end

app/controllers/admin/reports/actions_controller.rb

@@ -18,6 +18,7 @@ class Admin::Reports::ActionsController < Admin::BaseController
         status_ids: @report.status_ids,
         current_account: current_account,
         report_id: @report.id,
+        send_notification: !@report.spam?,
         send_email_notification: !@report.spam?,
         text: params[:text]
       )
@@ -29,6 +30,7 @@ class Admin::Reports::ActionsController < Admin::BaseController
         report_id: @report.id,
         target_account: @report.target_account,
         current_account: current_account,
+        send_notification: !@report.spam?,
         send_email_notification: !@report.spam?,
         text: params[:text]
       )

app/controllers/api/v1/admin/account_actions_controller.rb

@@ -31,7 +31,8 @@ class Api::V1::Admin::AccountActionsController < Api::BaseController
       :report_id,
       :warning_preset_id,
       :text,
-      :send_email_notification
+      :send_email_notification,
+      :send_notification
     )
   end
 end

app/javascript/entrypoints/admin.tsx

@@ -285,6 +285,51 @@ async function mountReactComponent(element: Element) {
   );
 }
 
+// In the account warning interface, email notifications imply in-app notifications, so update accordingly
+Rails.delegate(
+  document,
+  '#admin_account_action_send_email_notification',
+  'change',
+  () => {
+    const sendNotificationElement = document.querySelector<HTMLInputElement>(
+      'input#admin_account_action_send_notification',
+    );
+
+    const sendEmailNotificationElement =
+      document.querySelector<HTMLInputElement>(
+        'input#admin_account_action_send_email_notification',
+      );
+
+    if (sendNotificationElement && sendEmailNotificationElement?.checked) {
+      sendNotificationElement.checked = true;
+    }
+  },
+);
+
+Rails.delegate(
+  document,
+  '#admin_account_action_send_notification',
+  'change',
+  () => {
+    const sendNotificationElement = document.querySelector<HTMLInputElement>(
+      'input#admin_account_action_send_notification',
+    );
+
+    const sendEmailNotificationElement =
+      document.querySelector<HTMLInputElement>(
+        'input#admin_account_action_send_email_notification',
+      );
+
+    if (
+      sendNotificationElement &&
+      sendEmailNotificationElement &&
+      !sendNotificationElement.checked
+    ) {
+      sendEmailNotificationElement.checked = false;
+    }
+  },
+);
+
 ready(() => {
   const domainBlockSeveritySelect = document.querySelector<HTMLSelectElement>(
     'select#domain_block_severity',

app/javascript/mastodon/actions/importer/normalizer.js

@@ -77,6 +77,17 @@ export function normalizeStatus(status, normalOldStatus) {
     normalStatus.contentHtml  = emojify(normalStatus.content, emojiMap);
     normalStatus.spoilerHtml  = emojify(escapeTextContentForBrowser(spoilerText), emojiMap);
     normalStatus.hidden       = expandSpoilers ? false : spoilerText.length > 0 || normalStatus.sensitive;
+
+    if (normalStatus.url && !(normalStatus.url.startsWith('http://') || normalStatus.url.startsWith('https://'))) {
+      normalStatus.url = null;
+    }
+
+    normalStatus.url ||= normalStatus.uri;
+
+    normalStatus.media_attachments.forEach(item => {
+      if (item.remote_url && !(item.remote_url.startsWith('http://') || item.remote_url.startsWith('https://')))
+        item.remote_url = null;
+    });
   }
 
   if (normalOldStatus) {

app/javascript/mastodon/models/account.ts

@@ -144,5 +144,10 @@ export function createAccountFromServerJSON(serverJSON: ApiAccountJSON) {
     ),
     note_emojified: emojify(accountJSON.note, emojiMap),
     note_plain: unescapeHTML(accountJSON.note),
+    url:
+      accountJSON.url.startsWith('http://') ||
+      accountJSON.url.startsWith('https://')
+        ? accountJSON.url
+        : accountJSON.uri,
   });
 }

app/lib/activitypub/parser/media_attachment_parser.rb

@@ -15,13 +15,15 @@ class ActivityPub::Parser::MediaAttachmentParser
   end
 
   def remote_url
-    Addressable::URI.parse(@json['url'])&.normalize&.to_s
+    url = Addressable::URI.parse(@json['url'])&.normalize&.to_s
+    url unless unsupported_uri_scheme?(url)
   rescue Addressable::URI::InvalidURIError
     nil
   end
 
   def thumbnail_remote_url
-    Addressable::URI.parse(@json['icon'].is_a?(Hash) ? @json['icon']['url'] : @json['icon'])&.normalize&.to_s
+    url = Addressable::URI.parse(@json['icon'].is_a?(Hash) ? @json['icon']['url'] : @json['icon'])&.normalize&.to_s
+    url unless unsupported_uri_scheme?(url)
   rescue Addressable::URI::InvalidURIError
     nil
   end

app/lib/activitypub/parser/status_parser.rb

@@ -29,7 +29,10 @@ class ActivityPub::Parser::StatusParser
   end
 
   def url
-    url_to_href(@object['url'], 'text/html') if @object['url'].present?
+    return if @object['url'].blank?
+
+    url = url_to_href(@object['url'], 'text/html')
+    url unless unsupported_uri_scheme?(url)
   end
 
   def text

app/lib/activitypub/tag_manager.rb

@@ -4,6 +4,7 @@ require 'singleton'
 
 class ActivityPub::TagManager
   include Singleton
+  include JsonLdHelper
   include RoutingHelper
 
   CONTEXT = 'https://www.w3.org/ns/activitystreams'
@@ -17,7 +18,7 @@ class ActivityPub::TagManager
   end
 
   def url_for(target)
-    return target.url if target.respond_to?(:local?) && !target.local?
+    return unsupported_uri_scheme?(target.url) ? nil : target.url if target.respond_to?(:local?) && !target.local?
 
     return unless target.respond_to?(:object_type)
 

app/models/admin/account_action.rb

@@ -20,8 +20,9 @@ class Admin::AccountAction
                 :report_id,
                 :warning_preset_id
 
-  attr_reader :warning, :send_email_notification, :include_statuses
+  attr_reader :warning, :send_notification, :send_email_notification, :include_statuses
 
+  alias send_notification? send_notification
   alias send_email_notification? send_email_notification
   alias include_statuses? include_statuses
 
@@ -29,8 +30,9 @@ class Admin::AccountAction
   validates :type, inclusion: { in: TYPES }
 
   def initialize(attributes = {})
+    @send_notification = true
     @send_email_notification = true
-    @include_statuses        = true
+    @include_statuses = true
 
     super
   end
@@ -39,6 +41,10 @@ class Admin::AccountAction
     @send_email_notification = ActiveModel::Type::Boolean.new.cast(value)
   end
 
+  def send_notification=(value)
+    @send_notification = ActiveModel::Type::Boolean.new.cast(value)
+  end
+
   def include_statuses=(value)
     @include_statuses = ActiveModel::Type::Boolean.new.cast(value)
   end
@@ -169,12 +175,12 @@ class Admin::AccountAction
   def process_notification!
     return unless warnable?
 
-    UserMailer.warning(target_account.user, warning).deliver_later!
+    UserMailer.warning(target_account.user, warning).deliver_later! if send_email_notification?
     LocalNotificationWorker.perform_async(target_account.id, warning.id, 'AccountWarning', 'moderation_warning')
   end
 
   def warnable?
-    send_email_notification? && target_account.local?
+    send_notification && target_account.local?
   end
 
   def status_ids

app/models/admin/status_batch_action.rb

@@ -9,12 +9,16 @@ class Admin::StatusBatchAction
                 :status_ids, :report_id,
                 :text
 
-  attr_reader :send_email_notification
+  attr_reader :send_notification, :send_email_notification
 
   def send_email_notification=(value)
     @send_email_notification = ActiveModel::Type::Boolean.new.cast(value)
   end
 
+  def send_notification=(value)
+    @send_notification = ActiveModel::Type::Boolean.new.cast(value)
+  end
+
   def save!
     process_action!
   end
@@ -131,12 +135,12 @@ class Admin::StatusBatchAction
   def process_notification!
     return unless warnable?
 
-    UserMailer.warning(target_account.user, @warning).deliver_later!
+    UserMailer.warning(target_account.user, @warning).deliver_later! if send_email_notification
     LocalNotificationWorker.perform_async(target_account.id, @warning.id, 'AccountWarning', 'moderation_warning')
   end
 
   def warnable?
-    send_email_notification && target_account.local?
+    send_notification && target_account.local?
   end
 
   def target_account

app/views/admin/account_actions/new.html.haml

@@ -25,6 +25,11 @@
   - if @account.local?
     %hr.spacer/
 
+    .fields-group
+      = f.input :send_notification,
+                as: :boolean,
+                wrapper: :with_label
+
     .fields-group
       = f.input :send_email_notification,
                 as: :boolean,

config/locales/simple_form.en.yml

@@ -20,7 +20,8 @@ en:
         title: Optional. Not visible to the recipient
       admin_account_action:
         include_statuses: The user will see which posts have caused the moderation action or warning
-        send_email_notification: The user will receive an explanation of what happened with their account
+        send_email_notification: The user will receive an email with an explanation of what happened with their account
+        send_notification: The user will receive an in-app notification with an explanation of what happened with their account
         text_html: Optional. You can use post syntax. You can <a href="%{path}">add warning presets</a> to save time
         type_html: Choose what to do with <strong>%{acct}</strong>
         types:
@@ -179,7 +180,8 @@ en:
         title: Title
       admin_account_action:
         include_statuses: Include reported posts in the e-mail
-        send_email_notification: Notify the user per e-mail
+        send_email_notification: Also notify the user per e-mail
+        send_notification: Notify the user in the application
         text: Custom warning
         type: Action
         types:

docker-compose.yml

@@ -59,7 +59,7 @@ services:
   web:
     # You can uncomment the following line if you want to not use the prebuilt image, for example if you have local code changes
     # build: .
-    image: ghcr.io/mastodon/mastodon:v4.3.7
+    image: ghcr.io/mastodon/mastodon:v4.3.8
     restart: always
     env_file: .env.production
     command: bundle exec puma -C config/puma.rb
@@ -83,7 +83,7 @@ services:
     # build:
     #   dockerfile: ./streaming/Dockerfile
     #   context: .
-    image: ghcr.io/mastodon/mastodon-streaming:v4.3.7
+    image: ghcr.io/mastodon/mastodon-streaming:v4.3.8
     restart: always
     env_file: .env.production
     command: node ./streaming/index.js
@@ -102,7 +102,7 @@ services:
   sidekiq:
     # You can uncomment the following line if you want to not use the prebuilt image, for example if you have local code changes
     # build: .
-    image: ghcr.io/mastodon/mastodon:v4.3.7
+    image: ghcr.io/mastodon/mastodon:v4.3.8
     restart: always
     env_file: .env.production
     command: bundle exec sidekiq

lib/mastodon/version.rb

@@ -17,7 +17,7 @@ module Mastodon
     end
 
     def default_prerelease
-      'alpha.4'
+      'alpha.5'
     end
 
     def prerelease