Merge 77cf2abb3a into fbe9728f36

Bump version to v4.3.8 (#34626 )
Fix code style issue (#34624 )
2025-05-07 20:26:15 +00:00 · 2025-05-06 15:05:46 +00:00 · 2025-05-06 14:17:07 +00:00 · 2025-05-06 13:35:54 +00:00 · 2025-05-06 15:02:13 +02:00 · 2025-04-24 18:13:56 +02:00
9 changed files with 109 additions and 42 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -2,9 +2,34 @@

 All notable changes to this project will be documented in this file.

+## [4.3.8] - 2025-05-06
+
+### Security
+
+- Update dependencies
+- Check scheme on account, profile, and media URLs ([GHSA-x2rc-v5wx-g3m5](https://github.com/mastodon/mastodon/security/advisories/GHSA-x2rc-v5wx-g3m5))
+
+### Added
+
+- Add warning for REDIS_NAMESPACE deprecation at startup (#34581 by @ClearlyClaire)
+- Add built-in context for interaction policies (#34574 by @ClearlyClaire)
+
+### Changed
+
+- Change activity distribution error handling to skip retrying for deleted accounts (#33617 by @ClearlyClaire)
+
+### Removed
+
+- Remove double-query for signed query strings (#34610 by @ClearlyClaire)
+
+### Fixed
+
+- Fix incorrect redirect in response to unauthenticated API requests in limited federation mode (#34549 by @ClearlyClaire)
+- Fix sign-up e-mail confirmation page reloading on error or redirect (#34548 by @ClearlyClaire)
+
 ## [4.3.7] - 2025-04-02

-### Add
+### Added

 - Add delay to profile updates to debounce them (#34137 by @ClearlyClaire)
 - Add support for paginating partial collections in `SynchronizeFollowersService` (#34272 and #34277 by @ClearlyClaire)
--- a/app/javascript/mastodon/actions/importer/normalizer.js
+++ b/app/javascript/mastodon/actions/importer/normalizer.js
@ -77,6 +77,17 @@ export function normalizeStatus(status, normalOldStatus) {
    normalStatus.contentHtml  = emojify(normalStatus.content, emojiMap);
    normalStatus.spoilerHtml  = emojify(escapeTextContentForBrowser(spoilerText), emojiMap);
    normalStatus.hidden       = expandSpoilers ? false : spoilerText.length > 0 || normalStatus.sensitive;
+
+    if (normalStatus.url && !(normalStatus.url.startsWith('http://') || normalStatus.url.startsWith('https://'))) {
+      normalStatus.url = null;
+    }
+
+    normalStatus.url ||= normalStatus.uri;
+
+    normalStatus.media_attachments.forEach(item => {
+      if (item.remote_url && !(item.remote_url.startsWith('http://') || item.remote_url.startsWith('https://')))
+        item.remote_url = null;
+    });
  }

  if (normalOldStatus) {
--- a/app/javascript/mastodon/models/account.ts
+++ b/app/javascript/mastodon/models/account.ts
@ -144,5 +144,10 @@ export function createAccountFromServerJSON(serverJSON: ApiAccountJSON) {
    ),
    note_emojified: emojify(accountJSON.note, emojiMap),
    note_plain: unescapeHTML(accountJSON.note),
+    url:
+      accountJSON.url.startsWith('http://') ||
+      accountJSON.url.startsWith('https://')
+        ? accountJSON.url
+        : accountJSON.uri,
  });
 }
--- a/app/lib/activitypub/parser/media_attachment_parser.rb
+++ b/app/lib/activitypub/parser/media_attachment_parser.rb
@ -15,13 +15,15 @@ class ActivityPub::Parser::MediaAttachmentParser
  end

  def remote_url
-    Addressable::URI.parse(@json['url'])&.normalize&.to_s
+    url = Addressable::URI.parse(@json['url'])&.normalize&.to_s
+    url unless unsupported_uri_scheme?(url)
  rescue Addressable::URI::InvalidURIError
    nil
  end

  def thumbnail_remote_url
-    Addressable::URI.parse(@json['icon'].is_a?(Hash) ? @json['icon']['url'] : @json['icon'])&.normalize&.to_s
+    url = Addressable::URI.parse(@json['icon'].is_a?(Hash) ? @json['icon']['url'] : @json['icon'])&.normalize&.to_s
+    url unless unsupported_uri_scheme?(url)
  rescue Addressable::URI::InvalidURIError
    nil
  end
--- a/app/lib/activitypub/parser/status_parser.rb
+++ b/app/lib/activitypub/parser/status_parser.rb
@ -29,7 +29,10 @@ class ActivityPub::Parser::StatusParser
  end

  def url
-    url_to_href(@object['url'], 'text/html') if @object['url'].present?
+    return if @object['url'].blank?
+
+    url = url_to_href(@object['url'], 'text/html')
+    url unless unsupported_uri_scheme?(url)
  end

  def text
--- a/app/lib/activitypub/tag_manager.rb
+++ b/app/lib/activitypub/tag_manager.rb
@ -4,6 +4,7 @@ require 'singleton'

 class ActivityPub::TagManager
  include Singleton
+  include JsonLdHelper
  include RoutingHelper

  CONTEXT = 'https://www.w3.org/ns/activitystreams'
@ -17,7 +18,7 @@ class ActivityPub::TagManager
  end

  def url_for(target)
-    return target.url if target.respond_to?(:local?) && !target.local?
+    return unsupported_uri_scheme?(target.url) ? nil : target.url if target.respond_to?(:local?) && !target.local?

    return unless target.respond_to?(:object_type)

--- a/docker-compose.yml
+++ b/docker-compose.yml
@ -59,7 +59,7 @@ services:
  web:
    # You can uncomment the following line if you want to not use the prebuilt image, for example if you have local code changes
    # build: .
-    image: ghcr.io/mastodon/mastodon:v4.3.7
+    image: ghcr.io/mastodon/mastodon:v4.3.8
    restart: always
    env_file: .env.production
    command: bundle exec puma -C config/puma.rb
@ -83,7 +83,7 @@ services:
    # build:
    #   dockerfile: ./streaming/Dockerfile
    #   context: .
-    image: ghcr.io/mastodon/mastodon-streaming:v4.3.7
+    image: ghcr.io/mastodon/mastodon-streaming:v4.3.8
    restart: always
    env_file: .env.production
    command: node ./streaming/index.js
@ -102,7 +102,7 @@ services:
  sidekiq:
    # You can uncomment the following line if you want to not use the prebuilt image, for example if you have local code changes
    # build: .
-    image: ghcr.io/mastodon/mastodon:v4.3.7
+    image: ghcr.io/mastodon/mastodon:v4.3.8
    restart: always
    env_file: .env.production
    command: bundle exec sidekiq
--- a/lib/mastodon/version.rb
+++ b/lib/mastodon/version.rb
@ -17,7 +17,7 @@ module Mastodon
    end

    def default_prerelease
-      'alpha.4'
+      'alpha.5'
    end

    def prerelease
--- a/spec/requests/oauth/token_spec.rb
+++ b/spec/requests/oauth/token_spec.rb
@ -5,32 +5,36 @@ require 'rails_helper'
 RSpec.describe 'Managing OAuth Tokens' do
  describe 'POST /oauth/token' do
    subject do
-      post '/oauth/token', params: params
+      post '/oauth/token', params: params, headers: headers
    end

    let(:application) do
      Fabricate(:application, scopes: 'read write follow', redirect_uri: 'urn:ietf:wg:oauth:2.0:oob')
    end
-    let(:params) do
+
+    # This is using the OAuth client_secret_basic client authentication method
+    let(:headers) do
      {
-        grant_type: grant_type,
-        client_id: application.uid,
-        client_secret: application.secret,
-        redirect_uri: 'urn:ietf:wg:oauth:2.0:oob',
-        code: code,
-        scope: scope,
+        Authorization: ActionController::HttpAuthentication::Basic.encode_credentials(application.uid, application.secret),
      }
    end

    context "with grant_type 'authorization_code'" do
-      let(:grant_type) { 'authorization_code' }
+      let(:params) do
+        {
+          grant_type: 'authorization_code',
+          redirect_uri: 'urn:ietf:wg:oauth:2.0:oob',
+          code: code,
+        }
+      end
+
      let(:code) do
        access_grant = Fabricate(:access_grant, application: application, redirect_uri: 'urn:ietf:wg:oauth:2.0:oob', scopes: 'read write')
        access_grant.plaintext_token
      end

      shared_examples 'original scope request preservation' do
-        it 'returns all scopes requested for the given code' do
+        it 'returns all scopes requested by the authorization code' do
          subject

          expect(response).to have_http_status(200)
@ -38,36 +42,51 @@ RSpec.describe 'Managing OAuth Tokens' do
        end
      end

-      context 'with no scopes specified' do
-        let(:scope) { nil }
+      context 'with client authentication via params' do
+        let(:headers) { nil }
+        let(:params) do
+          {
+            grant_type: 'authorization_code',
+            redirect_uri: 'urn:ietf:wg:oauth:2.0:oob',
+            client_id: application.uid,
+            client_secret: application.secret,
+            code: code,
+          }
+        end

        it_behaves_like 'original scope request preservation'
      end

-      context 'with scopes specified' do
-        context 'when the scopes were requested for this code' do
-          let(:scope) { 'write' }
-
-          it_behaves_like 'original scope request preservation'
-        end
-
-        context 'when the scope was not requested for the code' do
-          let(:scope) { 'follow' }
-
-          it_behaves_like 'original scope request preservation'
-        end
-
-        context 'when the scope does not belong to the application' do
-          let(:scope) { 'push' }
-
-          it_behaves_like 'original scope request preservation'
-        end
-      end
+      it_behaves_like 'original scope request preservation'
    end

    context "with grant_type 'client_credentials'" do
-      let(:grant_type) { 'client_credentials' }
-      let(:code) { nil }
+      let(:scope) { nil }
+      let(:params) do
+        {
+          grant_type: 'client_credentials',
+          scope: scope,
+        }
+      end
+
+      context 'with client authentication via params' do
+        let(:headers) { nil }
+        let(:params) do
+          {
+            grant_type: 'client_credentials',
+            client_id: application.uid,
+            client_secret: application.secret,
+            scope: scope,
+          }
+        end
+
+        it 'returns only the default scope' do
+          subject
+
+          expect(response).to have_http_status(200)
+          expect(response.parsed_body[:scope]).to eq('read')
+        end
+      end

      context 'with no scopes specified' do
        let(:scope) { nil }
@ -99,6 +118,7 @@ RSpec.describe 'Managing OAuth Tokens' do
            subject

            expect(response).to have_http_status(400)
+            expect(response.parsed_body[:error]).to eq 'invalid_scope'
          end
        end
      end
Author	SHA1	Message	Date
Emelia Smith	e5f17147f5	Merge `77cf2abb3a` into `fbe9728f36`	2025-05-06 15:05:46 +00:00
Claire	fbe9728f36	Bump version to v4.3.8 (#34626 ) Some checks are pending Check i18n / check-i18n (push) Waiting to run Details CodeQL / Analyze (javascript) (push) Waiting to run Details CodeQL / Analyze (ruby) (push) Waiting to run Details Check formatting / lint (push) Waiting to run Details JavaScript Linting / lint (push) Waiting to run Details Ruby Linting / lint (push) Waiting to run Details JavaScript Testing / test (push) Waiting to run Details Historical data migration test / test (14-alpine) (push) Waiting to run Details Historical data migration test / test (15-alpine) (push) Waiting to run Details Historical data migration test / test (16-alpine) (push) Waiting to run Details Historical data migration test / test (17-alpine) (push) Waiting to run Details Ruby Testing / build (production) (push) Waiting to run Details Ruby Testing / build (test) (push) Waiting to run Details Ruby Testing / test (.ruby-version) (push) Blocked by required conditions Details Ruby Testing / test (3.2) (push) Blocked by required conditions Details Ruby Testing / test (3.3) (push) Blocked by required conditions Details Ruby Testing / Libvips tests (.ruby-version) (push) Blocked by required conditions Details Ruby Testing / Libvips tests (3.2) (push) Blocked by required conditions Details Ruby Testing / Libvips tests (3.3) (push) Blocked by required conditions Details Ruby Testing / End to End testing (.ruby-version) (push) Blocked by required conditions Details Ruby Testing / End to End testing (3.2) (push) Blocked by required conditions Details Ruby Testing / End to End testing (3.3) (push) Blocked by required conditions Details Ruby Testing / Elastic Search integration testing (.ruby-version, docker.elastic.co/elasticsearch/elasticsearch:7.17.13) (push) Blocked by required conditions Details Ruby Testing / Elastic Search integration testing (.ruby-version, docker.elastic.co/elasticsearch/elasticsearch:8.10.2) (push) Blocked by required conditions Details Ruby Testing / Elastic Search integration testing (.ruby-version, opensearchproject/opensearch:2) (push) Blocked by required conditions Details Ruby Testing / Elastic Search integration testing (3.2, docker.elastic.co/elasticsearch/elasticsearch:7.17.13) (push) Blocked by required conditions Details Ruby Testing / Elastic Search integration testing (3.3, docker.elastic.co/elasticsearch/elasticsearch:7.17.13) (push) Blocked by required conditions Details	2025-05-06 14:17:07 +00:00
Claire	3bbf3e9709	Fix code style issue (#34624 )	2025-05-06 13:35:54 +00:00
Claire	79931bf3ae	Merge commit from fork * Check scheme in account and post links * Harden media attachments * Client-side mitigation * Client-side mitigation for media attachments	2025-05-06 15:02:13 +02:00
Emelia Smith	77cf2abb3a	Improve /oauth/token request specs Previously these specs passed incorrect parameters to both the authorization_code and client_credentials grant flows. The authorization_code flow does not accept a `scope` parameter, instead the scope is set when the access grant is created, per RFC 6749 Section 4.1.2. The `code` parameter is accepted by this flow. https://www.rfc-editor.org/rfc/rfc6749#section-4.1.2 The client_credentials flow does not accept a `code` parameter, and instead accepts a `scope` parameter, per RFC 6749 Section 4.4.1 https://www.rfc-editor.org/rfc/rfc6749#section-4.4.1 This ensures we're only testing valid oauth flows, and not deviating from the specification. The OAuth flows should ignore any unknown parameters (i.e., passing `code` to client_credentials would have no impact on the functionality, and this would be asserted at the Doorkeeper level).	2025-04-24 18:13:56 +02:00
Emelia Smith	5a5f1a3718	Change /oauth/token request specs to use client_secret_basic authentication	2025-04-24 18:11:10 +02:00