Merge 3ee385ed2e into fbe9728f36

* Check scheme in account and post links

* Harden media attachments

* Client-side mitigation

* Client-side mitigation for media attachments

CHANGELOG.md

@@ -2,9 +2,34 @@
 
 All notable changes to this project will be documented in this file.
 
+## [4.3.8] - 2025-05-06
+
+### Security
+
+- Update dependencies
+- Check scheme on account, profile, and media URLs ([GHSA-x2rc-v5wx-g3m5](https://github.com/mastodon/mastodon/security/advisories/GHSA-x2rc-v5wx-g3m5))
+
+### Added
+
+- Add warning for REDIS_NAMESPACE deprecation at startup (#34581 by @ClearlyClaire)
+- Add built-in context for interaction policies (#34574 by @ClearlyClaire)
+
+### Changed
+
+- Change activity distribution error handling to skip retrying for deleted accounts (#33617 by @ClearlyClaire)
+
+### Removed
+
+- Remove double-query for signed query strings (#34610 by @ClearlyClaire)
+
+### Fixed
+
+- Fix incorrect redirect in response to unauthenticated API requests in limited federation mode (#34549 by @ClearlyClaire)
+- Fix sign-up e-mail confirmation page reloading on error or redirect (#34548 by @ClearlyClaire)
+
 ## [4.3.7] - 2025-04-02
 
-### Add
+### Added
 
 - Add delay to profile updates to debounce them (#34137 by @ClearlyClaire)
 - Add support for paginating partial collections in `SynchronizeFollowersService` (#34272 and #34277 by @ClearlyClaire)

app/controllers/settings/exports/account_notes_controller.rb

@@ -0,0 +1,19 @@
+# frozen_string_literal: true
+
+module Settings
+  module Exports
+    class AccountNotesController < BaseController
+      include Settings::ExportControllerConcern
+
+      def index
+        send_export_file
+      end
+
+      private
+
+      def export_data
+        @export.to_account_notes_csv
+      end
+    end
+  end
+end

app/javascript/mastodon/actions/importer/normalizer.js

@@ -77,6 +77,17 @@ export function normalizeStatus(status, normalOldStatus) {
     normalStatus.contentHtml  = emojify(normalStatus.content, emojiMap);
     normalStatus.spoilerHtml  = emojify(escapeTextContentForBrowser(spoilerText), emojiMap);
     normalStatus.hidden       = expandSpoilers ? false : spoilerText.length > 0 || normalStatus.sensitive;
+
+    if (normalStatus.url && !(normalStatus.url.startsWith('http://') || normalStatus.url.startsWith('https://'))) {
+      normalStatus.url = null;
+    }
+
+    normalStatus.url ||= normalStatus.uri;
+
+    normalStatus.media_attachments.forEach(item => {
+      if (item.remote_url && !(item.remote_url.startsWith('http://') || item.remote_url.startsWith('https://')))
+        item.remote_url = null;
+    });
   }
 
   if (normalOldStatus) {

app/javascript/mastodon/models/account.ts

@@ -144,5 +144,10 @@ export function createAccountFromServerJSON(serverJSON: ApiAccountJSON) {
     ),
     note_emojified: emojify(accountJSON.note, emojiMap),
     note_plain: unescapeHTML(accountJSON.note),
+    url:
+      accountJSON.url.startsWith('http://') ||
+      accountJSON.url.startsWith('https://')
+        ? accountJSON.url
+        : accountJSON.uri,
   });
 }

app/lib/activitypub/parser/media_attachment_parser.rb

@@ -15,13 +15,15 @@ class ActivityPub::Parser::MediaAttachmentParser
   end
 
   def remote_url
-    Addressable::URI.parse(@json['url'])&.normalize&.to_s
+    url = Addressable::URI.parse(@json['url'])&.normalize&.to_s
+    url unless unsupported_uri_scheme?(url)
   rescue Addressable::URI::InvalidURIError
     nil
   end
 
   def thumbnail_remote_url
-    Addressable::URI.parse(@json['icon'].is_a?(Hash) ? @json['icon']['url'] : @json['icon'])&.normalize&.to_s
+    url = Addressable::URI.parse(@json['icon'].is_a?(Hash) ? @json['icon']['url'] : @json['icon'])&.normalize&.to_s
+    url unless unsupported_uri_scheme?(url)
   rescue Addressable::URI::InvalidURIError
     nil
   end

app/lib/activitypub/parser/status_parser.rb

@@ -29,7 +29,10 @@ class ActivityPub::Parser::StatusParser
   end
 
   def url
-    url_to_href(@object['url'], 'text/html') if @object['url'].present?
+    return if @object['url'].blank?
+
+    url = url_to_href(@object['url'], 'text/html')
+    url unless unsupported_uri_scheme?(url)
   end
 
   def text

app/lib/activitypub/tag_manager.rb

@@ -4,6 +4,7 @@ require 'singleton'
 
 class ActivityPub::TagManager
   include Singleton
+  include JsonLdHelper
   include RoutingHelper
 
   CONTEXT = 'https://www.w3.org/ns/activitystreams'
@@ -17,7 +18,7 @@ class ActivityPub::TagManager
   end
 
   def url_for(target)
-    return target.url if target.respond_to?(:local?) && !target.local?
+    return unsupported_uri_scheme?(target.url) ? nil : target.url if target.respond_to?(:local?) && !target.local?
 
     return unless target.respond_to?(:object_type)
 

app/models/bulk_import.rb

@@ -34,6 +34,7 @@ class BulkImport < ApplicationRecord
     domain_blocking: 3,
     bookmarks: 4,
     lists: 5,
+    account_notes: 6,
   }
 
   enum :state, {

app/models/export.rb

@@ -55,6 +55,14 @@ class Export
     end
   end
 
+  def to_account_notes_csv
+    CSV.generate(headers: ['Account address', 'Account note'], write_headers: true, encoding: Encoding::UTF_8) do |csv|
+      account.account_notes.includes(:target_account).reorder(id: :desc).each do |account_note|
+        csv << [acct(account_note.target_account), account_note.comment]
+      end
+    end
+  end
+
   private
 
   def to_csv(accounts)

app/models/form/import.rb

@@ -19,6 +19,7 @@ class Form::Import
     domain_blocking: ['#domain'],
     bookmarks: ['#uri'],
     lists: ['List name', 'Account address'],
+    account_notes: ['Account address', 'Account note'],
   }.freeze
 
   KNOWN_FIRST_HEADERS = EXPECTED_HEADERS_BY_TYPE.values.map(&:first).uniq.freeze
@@ -32,6 +33,7 @@ class Form::Import
     '#domain' => 'domain',
     '#uri' => 'uri',
     'List name' => 'list_name',
+    'Account note' => 'comment',
   }.freeze
 
   class EmptyFileError < StandardError; end
@@ -55,6 +57,8 @@ class Form::Import
       :bookmarks
     elsif file_name_matches?('lists')
       :lists
+    elsif csv_headers_match?('Account note') || file_name_matches?('account_notes')
+      :account_notes
     end
   end
 
@@ -102,6 +106,8 @@ class Form::Import
       ['#uri']
     when :lists
       ['List name', 'Account address']
+    when :account_notes
+      ['Account address', 'Account note']
     end
   end
 
@@ -118,7 +124,7 @@ class Form::Import
         field.strip.gsub(/\A@/, '')
       when '#domain'
         field&.strip&.downcase
-      when '#uri', 'List name'
+      when '#uri', 'List name', 'Account note'
         field.strip
       else
         field

app/presenters/export_summary.rb

@@ -14,6 +14,11 @@ class ExportSummary
     prefix: true
   )
 
+  delegate(
+    :account_notes,
+    to: :account
+  )
+
   def initialize(account)
     @account = account
     @counts = populate_counts
@@ -47,6 +52,10 @@ class ExportSummary
     counts[:muting].value
   end
 
+  def total_account_notes
+    counts[:account_notes].value
+  end
+
   def total_statuses
     account.statuses_count
   end
@@ -64,6 +73,7 @@ class ExportSummary
       domain_blocks: account_domain_blocks.async_count,
       owned_lists: account_owned_lists.async_count,
       muting: account_muting.async_count,
+      account_notes: account_notes.async_count,
       storage: account_media_attachments.async_sum(:file_file_size),
     }
   end

app/services/bulk_import_row_service.rb

@@ -7,7 +7,7 @@ class BulkImportRowService
     @type    = row.bulk_import.type.to_sym
 
     case @type
-    when :following, :blocking, :muting, :lists
+    when :following, :blocking, :muting, :lists, :account_notes
       target_acct     = @data['acct']
       target_domain   = domain(target_acct)
       @target_account = stoplight_wrapper(target_domain).run { ResolveAccountService.new.call(target_acct, { check_delivery_availability: true }) }
@@ -39,6 +39,10 @@ class BulkImportRowService
       FollowService.new.call(@account, @target_account) unless @account.id == @target_account.id
 
       list.accounts << @target_account
+    when :account_notes
+      @note = AccountNote.find_or_initialize_by(account: @account, target_account: @target_account)
+      @note.comment = @data['comment']
+      @note.save! if @note.changed?
     end
 
     true

app/services/bulk_import_service.rb

@@ -18,6 +18,8 @@ class BulkImportService < BaseService
       import_bookmarks!
     when :lists
       import_lists!
+    when :account_notes
+      import_account_notes!
     end
 
     @import.update!(state: :finished, finished_at: Time.now.utc) if @import.processed_items == @import.total_items
@@ -182,4 +184,32 @@ class BulkImportService < BaseService
       [row.id]
     end
   end
+
+  def import_account_notes!
+    rows_by_acct = extract_rows_by_acct
+
+    if @import.overwrite?
+      @account.account_notes.reorder(nil).find_each do |account_note|
+        row = rows_by_acct.delete(account_note.target_account.acct)
+
+        if row.nil?
+          account_note.destroy!
+        else
+          row.destroy
+          @import.processed_items += 1
+          @import.imported_items += 1
+          @note = AccountNote.find_or_initialize_by(account: @account, target_account: row.data['acct'])
+          @note.comment = row.data['comment']
+          @note.save! if @note.changed?
+        end
+      end
+
+      # Save pending infos due to `overwrite?` handling
+      @import.save!
+    end
+
+    Import::RowWorker.push_bulk(rows) do |row|
+      [row.id]
+    end
+  end
 end

app/views/settings/exports/show.html.haml

@@ -12,6 +12,10 @@
         %th= t('accounts.posts_tab_heading')
         %td= number_with_delimiter @export_summary.total_statuses
         %td
+      %tr
+        %th= t('exports.account_notes')
+        %td= number_with_delimiter @export_summary.total_account_notes
+        %td= table_link_to 'download', t('exports.csv'), settings_exports_account_notes_path(format: :csv)
       %tr
         %th= t('admin.accounts.follows')
         %td= number_with_delimiter @export_summary.total_follows

app/views/settings/imports/index.html.haml

@@ -5,7 +5,7 @@
   .field-group
     = f.input :type,
               as: :grouped_select,
-              collection: { constructive: %i(following bookmarks lists), destructive: %i(muting blocking domain_blocking) },
+              collection: { constructive: %i(following bookmarks lists), destructive: %i(muting blocking domain_blocking), other: %i(account_notes) },
               group_label_method: ->(group) { I18n.t("imports.type_groups.#{group.first}") },
               group_method: :last,
               hint: t('imports.preface'),

config/locales/en.yml

@@ -1453,6 +1453,9 @@ en:
       overwrite: Overwrite
       overwrite_long: Replace current records with the new ones
     overwrite_preambles:
+      account_notes_html:
+        one: You are about to import <strong>%{count} account note</strong> from <strong>%{filename}</strong>. Any existing account note on this account will be overwritten.
+        other: You are about to import <strong>%{count} account notes</strong> from <strong>%{filename}</strong>. Any existing account notes on these accounts will be overwritten.
       blocking_html:
         one: You are about to <strong>replace your block list</strong> with up to <strong>%{count} account</strong> from <strong>%{filename}</strong>.
         other: You are about to <strong>replace your block list</strong> with up to <strong>%{count} accounts</strong> from <strong>%{filename}</strong>.
@@ -1472,6 +1475,9 @@ en:
         one: You are about to <strong>replace your list of muted account</strong> with up to <strong>%{count} account</strong> from <strong>%{filename}</strong>.
         other: You are about to <strong>replace your list of muted accounts</strong> with up to <strong>%{count} accounts</strong> from <strong>%{filename}</strong>.
     preambles:
+      account_notes_html:
+        one: You are about to import <strong>%{count} account note</strong> from <strong>%{filename}</strong>.
+        other: You are about to import <strong>%{count} account notes</strong> from <strong>%{filename}</strong>.
       blocking_html:
         one: You are about to <strong>block</strong> up to <strong>%{count} account</strong> from <strong>%{filename}</strong>.
         other: You are about to <strong>block</strong> up to <strong>%{count} accounts</strong> from <strong>%{filename}</strong>.
@@ -1501,6 +1507,7 @@ en:
     success: Your data was successfully uploaded and will be processed in due time
     time_started: Started at
     titles:
+      account_notes: Importing account notes
       blocking: Importing blocked accounts
       bookmarks: Importing bookmarks
       domain_blocking: Importing blocked domains
@@ -1511,6 +1518,7 @@ en:
     type_groups:
       constructive: Follows & Bookmarks
       destructive: Blocks & mutes
+      other: Other
     types:
       blocking: Blocking list
       bookmarks: Bookmarks
@@ -1518,6 +1526,7 @@ en:
       following: Following list
       lists: Lists
       muting: Muting list
+      account_notes: Account notes
     upload: Upload
   invites:
     delete: Deactivate

config/routes/settings.rb

@@ -26,6 +26,7 @@ namespace :settings do
     resources :follows, only: :index, controller: :following_accounts
     resources :blocks, only: :index, controller: :blocked_accounts
     resources :mutes, only: :index, controller: :muted_accounts
+    resources :account_notes, only: :index, controller: :account_notes
     resources :lists, only: :index
     resources :domain_blocks, only: :index, controller: :blocked_domains
     resources :bookmarks, only: :index

docker-compose.yml

@@ -59,7 +59,7 @@ services:
   web:
     # You can uncomment the following line if you want to not use the prebuilt image, for example if you have local code changes
     # build: .
-    image: ghcr.io/mastodon/mastodon:v4.3.7
+    image: ghcr.io/mastodon/mastodon:v4.3.8
     restart: always
     env_file: .env.production
     command: bundle exec puma -C config/puma.rb
@@ -83,7 +83,7 @@ services:
     # build:
     #   dockerfile: ./streaming/Dockerfile
     #   context: .
-    image: ghcr.io/mastodon/mastodon-streaming:v4.3.7
+    image: ghcr.io/mastodon/mastodon-streaming:v4.3.8
     restart: always
     env_file: .env.production
     command: node ./streaming/index.js
@@ -102,7 +102,7 @@ services:
   sidekiq:
     # You can uncomment the following line if you want to not use the prebuilt image, for example if you have local code changes
     # build: .
-    image: ghcr.io/mastodon/mastodon:v4.3.7
+    image: ghcr.io/mastodon/mastodon:v4.3.8
     restart: always
     env_file: .env.production
     command: bundle exec sidekiq

lib/mastodon/version.rb

@@ -17,7 +17,7 @@ module Mastodon
     end
 
     def default_prerelease
-      'alpha.4'
+      'alpha.5'
     end
 
     def prerelease