Merge 1fa95e13cd into fbe9728f36

* Check scheme in account and post links

* Harden media attachments

* Client-side mitigation

* Client-side mitigation for media attachments

CHANGELOG.md

@@ -2,9 +2,34 @@
 
 All notable changes to this project will be documented in this file.
 
+## [4.3.8] - 2025-05-06
+
+### Security
+
+- Update dependencies
+- Check scheme on account, profile, and media URLs ([GHSA-x2rc-v5wx-g3m5](https://github.com/mastodon/mastodon/security/advisories/GHSA-x2rc-v5wx-g3m5))
+
+### Added
+
+- Add warning for REDIS_NAMESPACE deprecation at startup (#34581 by @ClearlyClaire)
+- Add built-in context for interaction policies (#34574 by @ClearlyClaire)
+
+### Changed
+
+- Change activity distribution error handling to skip retrying for deleted accounts (#33617 by @ClearlyClaire)
+
+### Removed
+
+- Remove double-query for signed query strings (#34610 by @ClearlyClaire)
+
+### Fixed
+
+- Fix incorrect redirect in response to unauthenticated API requests in limited federation mode (#34549 by @ClearlyClaire)
+- Fix sign-up e-mail confirmation page reloading on error or redirect (#34548 by @ClearlyClaire)
+
 ## [4.3.7] - 2025-04-02
 
-### Add
+### Added
 
 - Add delay to profile updates to debounce them (#34137 by @ClearlyClaire)
 - Add support for paginating partial collections in `SynchronizeFollowersService` (#34272 and #34277 by @ClearlyClaire)

app/javascript/mastodon/actions/importer/normalizer.js

@@ -77,6 +77,17 @@ export function normalizeStatus(status, normalOldStatus) {
     normalStatus.contentHtml  = emojify(normalStatus.content, emojiMap);
     normalStatus.spoilerHtml  = emojify(escapeTextContentForBrowser(spoilerText), emojiMap);
     normalStatus.hidden       = expandSpoilers ? false : spoilerText.length > 0 || normalStatus.sensitive;
+
+    if (normalStatus.url && !(normalStatus.url.startsWith('http://') || normalStatus.url.startsWith('https://'))) {
+      normalStatus.url = null;
+    }
+
+    normalStatus.url ||= normalStatus.uri;
+
+    normalStatus.media_attachments.forEach(item => {
+      if (item.remote_url && !(item.remote_url.startsWith('http://') || item.remote_url.startsWith('https://')))
+        item.remote_url = null;
+    });
   }
 
   if (normalOldStatus) {

app/javascript/mastodon/components/badge.jsx

@@ -1,31 +0,0 @@
-import PropTypes from 'prop-types';
-
-import { FormattedMessage } from 'react-intl';
-
-import GroupsIcon from '@/material-icons/400-24px/group.svg?react';
-import PersonIcon from '@/material-icons/400-24px/person.svg?react';
-import SmartToyIcon from '@/material-icons/400-24px/smart_toy.svg?react';
-
-
-export const Badge = ({ icon = <PersonIcon />, label, domain, roleId }) => (
-  <div className='account-role' data-account-role-id={roleId}>
-    {icon}
-    {label}
-    {domain && <span className='account-role__domain'>{domain}</span>}
-  </div>
-);
-
-Badge.propTypes = {
-  icon: PropTypes.node,
-  label: PropTypes.node,
-  domain: PropTypes.node,
-  roleId: PropTypes.string
-};
-
-export const GroupBadge = () => (
-  <Badge icon={<GroupsIcon />} label={<FormattedMessage id='account.badges.group' defaultMessage='Group' />} />
-);
-
-export const AutomatedBadge = () => (
-  <Badge icon={<SmartToyIcon />} label={<FormattedMessage id='account.badges.bot' defaultMessage='Automated' />} />
-);

app/javascript/mastodon/components/badge.tsx

@@ -0,0 +1,45 @@
+import type { FC, ReactNode } from 'react';
+
+import { FormattedMessage } from 'react-intl';
+
+import GroupsIcon from '@/material-icons/400-24px/group.svg?react';
+import PersonIcon from '@/material-icons/400-24px/person.svg?react';
+import SmartToyIcon from '@/material-icons/400-24px/smart_toy.svg?react';
+
+interface BadgeProps {
+  icon?: ReactNode;
+  label?: ReactNode;
+  domain?: ReactNode;
+  roleId?: string;
+}
+
+export const Badge: FC<BadgeProps> = ({
+  icon = <PersonIcon />,
+  label,
+  domain,
+  roleId,
+}) => (
+  <div className='account-role' data-account-role-id={roleId}>
+    {icon}
+    {label}
+    {domain && <span className='account-role__domain'>{domain}</span>}
+  </div>
+);
+
+export const GroupBadge = () => (
+  <Badge
+    icon={<GroupsIcon />}
+    label={
+      <FormattedMessage id='account.badges.group' defaultMessage='Group' />
+    }
+  />
+);
+
+export const AutomatedBadge = () => (
+  <Badge
+    icon={<SmartToyIcon />}
+    label={
+      <FormattedMessage id='account.badges.bot' defaultMessage='Automated' />
+    }
+  />
+);

app/javascript/mastodon/containers/admin_component.jsx

@@ -1,22 +0,0 @@
-import PropTypes from 'prop-types';
-import { PureComponent } from 'react';
-
-import { IntlProvider } from 'mastodon/locales';
-
-export default class AdminComponent extends PureComponent {
-
-  static propTypes = {
-    children: PropTypes.node.isRequired,
-  };
-
-  render () {
-    const { children } = this.props;
-
-    return (
-      <IntlProvider>
-        {children}
-      </IntlProvider>
-    );
-  }
-
-}

app/javascript/mastodon/containers/admin_component.tsx

@@ -0,0 +1,17 @@
+import React, { ReactNode } from 'react';
+
+import { IntlProvider } from 'mastodon/locales';
+
+interface Props {
+  children: ReactNode;
+}
+
+const AdminComponent: React.FC<Props> = ({ children }) => {
+  return (
+    <IntlProvider>
+      {children}
+    </IntlProvider>
+  );
+};
+
+export default AdminComponent;

app/javascript/mastodon/features/notifications/components/clear_column_button.jsx

@@ -1,21 +0,0 @@
-import PropTypes from 'prop-types';
-import { PureComponent } from 'react';
-
-import { FormattedMessage } from 'react-intl';
-
-import DeleteForeverIcon from '@/material-icons/400-24px/delete_forever.svg?react';
-import { Icon }  from 'mastodon/components/icon';
-
-export default class ClearColumnButton extends PureComponent {
-
-  static propTypes = {
-    onClick: PropTypes.func.isRequired,
-  };
-
-  render () {
-    return (
-      <button className='text-btn column-header__setting-btn' tabIndex={0} onClick={this.props.onClick}><Icon id='eraser' icon={DeleteForeverIcon} /> <FormattedMessage id='notifications.clear' defaultMessage='Clear notifications' /></button>
-    );
-  }
-
-}

app/javascript/mastodon/features/notifications/components/clear_column_button.tsx

@@ -0,0 +1,27 @@
+import React, { MouseEventHandler } from 'react';
+import { FormattedMessage } from 'react-intl';
+
+import DeleteForeverIcon from '@/material-icons/400-24px/delete_forever.svg?react';
+import { Icon } from 'mastodon/components/icon';
+
+interface Props {
+  onClick?: MouseEventHandler<HTMLButtonElement>;
+}
+
+const ClearColumnButton: React.FC<Props> = ({ onClick }) => {
+  return (
+    <button
+      className='text-btn column-header__setting-btn'
+      tabIndex={0}
+      onClick={onClick}
+    >
+      <Icon id='eraser' icon={DeleteForeverIcon} />{' '}
+      <FormattedMessage
+        id='notifications.clear'
+        defaultMessage='Clear notifications'
+      />
+    </button>
+  );
+};
+
+export default ClearColumnButton;

app/javascript/mastodon/features/notifications/components/grant_permission_button.jsx

@@ -1,20 +0,0 @@
-import PropTypes from 'prop-types';
-import { PureComponent } from 'react';
-
-import { FormattedMessage } from 'react-intl';
-
-export default class GrantPermissionButton extends PureComponent {
-
-  static propTypes = {
-    onClick: PropTypes.func.isRequired,
-  };
-
-  render () {
-    return (
-      <button className='text-btn column-header__permission-btn' tabIndex={0} onClick={this.props.onClick}>
-        <FormattedMessage id='notifications.grant_permission' defaultMessage='Grant permission.' />
-      </button>
-    );
-  }
-
-}

app/javascript/mastodon/features/notifications/components/grant_permission_button.tsx

@@ -0,0 +1,23 @@
+import { MouseEventHandler } from 'react';
+import { FormattedMessage } from 'react-intl';
+
+interface Props {
+  onClick: MouseEventHandler<HTMLButtonElement>;
+}
+
+const GrantPermissionButton: React.FC<Props> = ({ onClick }) => {
+  return (
+    <button
+      className='text-btn column-header__permission-btn'
+      tabIndex={0}
+      onClick={onClick}
+    >
+      <FormattedMessage
+        id='notifications.grant_permission'
+        defaultMessage='Grant permission.'
+      />
+    </button>
+  );
+};
+
+export default GrantPermissionButton;

app/javascript/mastodon/features/ui/components/__tests__/column-test.tsx

@@ -9,17 +9,29 @@ describe('<Column />', () => {
     it('runs the scroll animation if the column contains scrollable content', () => {
       const scrollToMock = jest.fn();
       const { container } = render(
-        <Column heading='notifications' icon='notifications' iconComponent={fakeIcon}>
+        <Column
+          heading='notifications'
+          icon='notifications'
+          iconComponent={fakeIcon}
+        >
           <div className='scrollable' />
         </Column>,
       );
-      container.querySelector('.scrollable').scrollTo = scrollToMock;
+      const scrollable = container.querySelector('.scrollable');
+      if (scrollable?.scrollTo) scrollable.scrollTo = scrollToMock;
+
       fireEvent.click(screen.getByText('notifications'));
       expect(scrollToMock).toHaveBeenCalledWith({ behavior: 'smooth', top: 0 });
     });
 
     it('does not try to scroll if there is no scrollable content', () => {
-      render(<Column heading='notifications' icon='notifications' iconComponent={fakeIcon} />);
+      render(
+        <Column
+          heading='notifications'
+          icon='notifications'
+          iconComponent={fakeIcon}
+        />,
+      );
       fireEvent.click(screen.getByText('notifications'));
     });
   });

app/javascript/mastodon/features/ui/components/column_subheading.jsx

@@ -1,15 +0,0 @@
-import PropTypes from 'prop-types';
-
-const ColumnSubheading = ({ text }) => {
-  return (
-    <div className='column-subheading'>
-      {text}
-    </div>
-  );
-};
-
-ColumnSubheading.propTypes = {
-  text: PropTypes.string.isRequired,
-};
-
-export default ColumnSubheading;

app/javascript/mastodon/features/ui/components/column_subheading.tsx

@@ -0,0 +1,11 @@
+import React from 'react';
+
+interface Props {
+  text: string;
+}
+
+const ColumnSubheading: React.FC<Props> = ({ text }) => {
+  return <div className='column-subheading'>{text}</div>;
+};
+
+export default ColumnSubheading;

app/javascript/mastodon/models/account.ts

@@ -144,5 +144,10 @@ export function createAccountFromServerJSON(serverJSON: ApiAccountJSON) {
     ),
     note_emojified: emojify(accountJSON.note, emojiMap),
     note_plain: unescapeHTML(accountJSON.note),
+    url:
+      accountJSON.url.startsWith('http://') ||
+      accountJSON.url.startsWith('https://')
+        ? accountJSON.url
+        : accountJSON.uri,
   });
 }

app/lib/activitypub/parser/media_attachment_parser.rb

@@ -15,13 +15,15 @@ class ActivityPub::Parser::MediaAttachmentParser
   end
 
   def remote_url
-    Addressable::URI.parse(@json['url'])&.normalize&.to_s
+    url = Addressable::URI.parse(@json['url'])&.normalize&.to_s
+    url unless unsupported_uri_scheme?(url)
   rescue Addressable::URI::InvalidURIError
     nil
   end
 
   def thumbnail_remote_url
-    Addressable::URI.parse(@json['icon'].is_a?(Hash) ? @json['icon']['url'] : @json['icon'])&.normalize&.to_s
+    url = Addressable::URI.parse(@json['icon'].is_a?(Hash) ? @json['icon']['url'] : @json['icon'])&.normalize&.to_s
+    url unless unsupported_uri_scheme?(url)
   rescue Addressable::URI::InvalidURIError
     nil
   end

app/lib/activitypub/parser/status_parser.rb

@@ -29,7 +29,10 @@ class ActivityPub::Parser::StatusParser
   end
 
   def url
-    url_to_href(@object['url'], 'text/html') if @object['url'].present?
+    return if @object['url'].blank?
+
+    url = url_to_href(@object['url'], 'text/html')
+    url unless unsupported_uri_scheme?(url)
   end
 
   def text

app/lib/activitypub/tag_manager.rb

@@ -4,6 +4,7 @@ require 'singleton'
 
 class ActivityPub::TagManager
   include Singleton
+  include JsonLdHelper
   include RoutingHelper
 
   CONTEXT = 'https://www.w3.org/ns/activitystreams'
@@ -17,7 +18,7 @@ class ActivityPub::TagManager
   end
 
   def url_for(target)
-    return target.url if target.respond_to?(:local?) && !target.local?
+    return unsupported_uri_scheme?(target.url) ? nil : target.url if target.respond_to?(:local?) && !target.local?
 
     return unless target.respond_to?(:object_type)
 

docker-compose.yml

@@ -59,7 +59,7 @@ services:
   web:
     # You can uncomment the following line if you want to not use the prebuilt image, for example if you have local code changes
     # build: .
-    image: ghcr.io/mastodon/mastodon:v4.3.7
+    image: ghcr.io/mastodon/mastodon:v4.3.8
     restart: always
     env_file: .env.production
     command: bundle exec puma -C config/puma.rb
@@ -83,7 +83,7 @@ services:
     # build:
     #   dockerfile: ./streaming/Dockerfile
     #   context: .
-    image: ghcr.io/mastodon/mastodon-streaming:v4.3.7
+    image: ghcr.io/mastodon/mastodon-streaming:v4.3.8
     restart: always
     env_file: .env.production
     command: node ./streaming/index.js
@@ -102,7 +102,7 @@ services:
   sidekiq:
     # You can uncomment the following line if you want to not use the prebuilt image, for example if you have local code changes
     # build: .
-    image: ghcr.io/mastodon/mastodon:v4.3.7
+    image: ghcr.io/mastodon/mastodon:v4.3.8
     restart: always
     env_file: .env.production
     command: bundle exec sidekiq

lib/mastodon/version.rb

@@ -17,7 +17,7 @@ module Mastodon
     end
 
     def default_prerelease
-      'alpha.4'
+      'alpha.5'
     end
 
     def prerelease