* enhance: Add a few validation fixes from Sharkey
See the original MR on the GitLab instance:
https://activitypub.software/TransFem-org/Sharkey/-/merge_requests/484
Co-Authored-By: Dakkar <dakkar@thenautilus.net>
* fix: primitive 2: acceptance of cross-origin alternate
Co-Authored-By: Laura Hausmann <laura@hausmann.dev>
* fix: primitive 3: validation of non-final url
* fix: primitive 4: missing same-origin identifier validation of collection-wrapped activities
* fix: primitives 5 & 8: reject activities with non
string identifiers
Co-Authored-By: Laura Hausmann <laura@hausmann.dev>
* fix: primitive 6: reject anonymous objects that were fetched by their id
* fix: primitives 9, 10 & 11: http signature validation
doesn't enforce required headers or specify auth header name
Co-Authored-By: Laura Hausmann <laura@hausmann.dev>
* fix: primitive 14: improper validation of outbox, followers, following & shared inbox collections
* fix: code style for primitive 14
* fix: primitive 15: improper same-origin validation for
note uri and url
Co-Authored-By: Laura Hausmann <laura@hausmann.dev>
* fix: primitive 16: improper same-origin validation for user uri and url
* fix: primitive 17: note same-origin identifier validation can be bypassed by wrapping the id in an array
* fix: code style for primitive 17
* fix: check attribution against actor in notes
While this isn't strictly required to fix the exploits at hand, this
mirrors the fix in `ApQuestionService` for GHSA-5h8r-gq97-xv69, as a
preemptive countermeasure.
* fix: primitive 18: `ap/get` bypasses access checks
One might argue that we could make this one actually preform access
checks against the returned activity object, but I feel like that's a
lot more work than just restricting it to administrators, since, to me
at least, it seems more like a debugging tool than anything else.
* fix: primitive 19 & 20: respect blocks and hide more
Ideally, the user property should also be hidden (as leaving it in leaks
information slightly), but given the schema of the note endpoint, I
don't think that would be possible without introducing some kind of
"ghost" user, who is attributed for posts by users who have you blocked.
* fix: primitives 21, 22, and 23: reuse resolver
This also increases the default `recursionLimit` for `Resolver`, as it
theoretically will go higher that it previously would and could possibly
fail on non-malicious collection activities.
* fix: primitives 25-33: proper local instance checks
* revert: fix: primitive 19 & 20
This reverts commit 465a9fe6591de90f78bd3d084e3c01e65dc3cf3c.
---------
Co-authored-by: Dakkar <dakkar@thenautilus.net>
Co-authored-by: Laura Hausmann <laura@hausmann.dev>
Co-authored-by: syuilo <4439005+syuilo@users.noreply.github.com>
* upd: attempt to turn MFM to html on mastodon
* revert: recent change until better implementation later
* chore: remove unused packages
* Update docker.yml
* upd: add MFM to HTML for timelines and status view
* chore: lint
* upd: megalodon resolve urls
* upd: add spliting
* test: local user mention
* test: change local user url in mention
* upd: change check
* test: megalodon changes
* upd: edit resolving of local users
This is starting to drive me nuts
* upd: remove the @ symbol in query
* fix: make renderPerson return host instead of null for local
* upd: change url for local user
* upd: change limit
* upd: add url to output
* upd: add mastodon boolean
* test: test different format
* fix: test of different format
* test: change up resolving
* fix: forgot to provide url
* upd: change lookup function a bit
* test: substring
* test: regex
* upd: remove substr
* test: new regexs
* dirty test
* test: one last attempt for today
* upd: fix build error
* upd: take input from iceshrimp dev
* upd: parse remote statuses
* upd: fix pleroma users misformatted urls
* upd: add uri to normal user
* fix: forgot to push updated types
* fix: resolving broke
* fix: html not converting correctly
* fix: return default img if no banner
* upd: swap out img used for no header, set fallback avatar
* fix: html escaped & and ' symbols
* upd: fix ' converting into 39; and get profile fields
* upd: resolve fields on lookup
---------
Co-authored-by: Amelia Yukii <123300075+Insert5StarName@users.noreply.github.com>
* chore: Add the SPDX information to each file
Add copyright and licensing information as defined in version 3.0 of
the REUSE Specification.
* tweak format
---------
Co-authored-by: syuilo <Syuilotan@yahoo.co.jp>
