diff options
Diffstat (limited to 'lib')
| -rw-r--r-- | lib/pleroma/application.ex | 1 | ||||
| -rw-r--r-- | lib/pleroma/plugs/http_security_plug.ex | 47 | ||||
| -rw-r--r-- | lib/pleroma/plugs/rate_limiter/rate_limiter.ex | 37 | ||||
| -rw-r--r-- | lib/pleroma/plugs/remote_ip.ex | 3 | ||||
| -rw-r--r-- | lib/pleroma/web/activity_pub/activity_pub.ex | 6 | ||||
| -rw-r--r-- | lib/pleroma/web/mastodon_api/views/status_view.ex | 6 | ||||
| -rw-r--r-- | lib/pleroma/web/pleroma_api/controllers/emoji_api_controller.ex | 12 | ||||
| -rw-r--r-- | lib/pleroma/web/pleroma_api/controllers/pleroma_api_controller.ex | 9 | ||||
| -rw-r--r-- | lib/pleroma/web/rich_media/parsers/meta_tags_parser.ex | 2 | ||||
| -rw-r--r-- | lib/pleroma/web/streamer/worker.ex | 3 |
10 files changed, 107 insertions, 19 deletions
diff --git a/lib/pleroma/application.ex b/lib/pleroma/application.ex index 6fdc54aed..27758cf94 100644 --- a/lib/pleroma/application.ex +++ b/lib/pleroma/application.ex @@ -33,6 +33,7 @@ defmodule Pleroma.Application do def start(_type, _args) do Pleroma.HTML.compile_scrubbers() Pleroma.Config.DeprecationWarnings.warn() + Pleroma.Plugs.HTTPSecurityPlug.warn_if_disabled() Pleroma.Repo.check_migrations_applied!() setup_instrumenters() load_custom_modules() diff --git a/lib/pleroma/plugs/http_security_plug.ex b/lib/pleroma/plugs/http_security_plug.ex index a7cc22831..b04273979 100644 --- a/lib/pleroma/plugs/http_security_plug.ex +++ b/lib/pleroma/plugs/http_security_plug.ex @@ -6,6 +6,8 @@ defmodule Pleroma.Plugs.HTTPSecurityPlug do alias Pleroma.Config import Plug.Conn + require Logger + def init(opts), do: opts def call(conn, _options) do @@ -90,6 +92,51 @@ defmodule Pleroma.Plugs.HTTPSecurityPlug do |> Enum.join("; ") end + def warn_if_disabled do + unless Config.get([:http_security, :enabled]) do + Logger.warn(" + .i;;;;i. + iYcviii;vXY: + .YXi .i1c. + .YC. . in7. + .vc. ...... ;1c. + i7, .. .;1; + i7, .. ... .Y1i + ,7v .6MMM@; .YX, + .7;. ..IMMMMMM1 :t7. + .;Y. ;$MMMMMM9. :tc. + vY. .. .nMMM@MMU. ;1v. + i7i ... .#MM@M@C. .....:71i + it: .... $MMM@9;.,i;;;i,;tti + :t7. ..... 0MMMWv.,iii:::,,;St. + .nC. ..... IMMMQ..,::::::,.,czX. + .ct: ....... .ZMMMI..,:::::::,,:76Y. + c2: ......,i..Y$M@t..:::::::,,..inZY + vov ......:ii..c$MBc..,,,,,,,,,,..iI9i + i9Y ......iii:..7@MA,..,,,,,,,,,....;AA: + iIS. ......:ii::..;@MI....,............;Ez. + .I9. ......:i::::...8M1..................C0z. + .z9; ......:i::::,.. .i:...................zWX. + vbv ......,i::::,,. ................. :AQY + c6Y. .,...,::::,,..:t0@@QY. ................ :8bi + :6S. ..,,...,:::,,,..EMMMMMMI. ............... .;bZ, + :6o, .,,,,..:::,,,..i#MMMMMM#v................. YW2. + .n8i ..,,,,,,,::,,,,.. tMMMMM@C:.................. .1Wn + 7Uc. .:::,,,,,::,,,,.. i1t;,..................... .UEi + 7C...::::::::::::,,,,.. .................... vSi. + ;1;...,,::::::,......... .................. Yz: + v97,......... .voC. + izAotX7777777777777777777777777777777777777777Y7n92: + .;CoIIIIIUAA666666699999ZZZZZZZZZZZZZZZZZZZZ6ov. + +HTTP Security is disabled. Please re-enable it to prevent users from attacking +your instance and your users via malicious posts: + + config :pleroma, :http_security, enabled: true + ") + end + end + defp maybe_send_sts_header(conn, true) do max_age_sts = Config.get([:http_security, :sts_max_age]) max_age_ct = Config.get([:http_security, :ct_max_age]) diff --git a/lib/pleroma/plugs/rate_limiter/rate_limiter.ex b/lib/pleroma/plugs/rate_limiter/rate_limiter.ex index d720508c8..7fb92489c 100644 --- a/lib/pleroma/plugs/rate_limiter/rate_limiter.ex +++ b/lib/pleroma/plugs/rate_limiter/rate_limiter.ex @@ -67,6 +67,8 @@ defmodule Pleroma.Plugs.RateLimiter do alias Pleroma.Plugs.RateLimiter.LimiterSupervisor alias Pleroma.User + require Logger + def init(opts) do limiter_name = Keyword.get(opts, :name) @@ -89,18 +91,39 @@ defmodule Pleroma.Plugs.RateLimiter do def call(conn, nil), do: conn def call(conn, settings) do - settings - |> incorporate_conn_info(conn) - |> check_rate() - |> case do - {:ok, _count} -> + case disabled?() do + true -> + if Pleroma.Config.get(:env) == :prod, + do: Logger.warn("Rate limiter is disabled for localhost/socket") + conn - {:error, _count} -> - render_throttled_error(conn) + false -> + settings + |> incorporate_conn_info(conn) + |> check_rate() + |> case do + {:ok, _count} -> + conn + + {:error, _count} -> + render_throttled_error(conn) + end end end + def disabled? do + localhost_or_socket = + Pleroma.Config.get([Pleroma.Web.Endpoint, :http, :ip]) + |> Tuple.to_list() + |> Enum.join(".") + |> String.match?(~r/^local|^127.0.0.1/) + + remote_ip_disabled = not Pleroma.Config.get([Pleroma.Plugs.RemoteIp, :enabled]) + + localhost_or_socket and remote_ip_disabled + end + def inspect_bucket(conn, name_root, settings) do settings = settings diff --git a/lib/pleroma/plugs/remote_ip.ex b/lib/pleroma/plugs/remote_ip.ex index fdedc27ee..1cd5af48a 100644 --- a/lib/pleroma/plugs/remote_ip.ex +++ b/lib/pleroma/plugs/remote_ip.ex @@ -10,10 +10,7 @@ defmodule Pleroma.Plugs.RemoteIp do @behaviour Plug @headers ~w[ - forwarded x-forwarded-for - x-client-ip - x-real-ip ] # https://en.wikipedia.org/wiki/Localhost diff --git a/lib/pleroma/web/activity_pub/activity_pub.ex b/lib/pleroma/web/activity_pub/activity_pub.ex index 1ac67b618..5c436941a 100644 --- a/lib/pleroma/web/activity_pub/activity_pub.ex +++ b/lib/pleroma/web/activity_pub/activity_pub.ex @@ -325,12 +325,14 @@ defmodule Pleroma.Web.ActivityPub.ActivityPub do def react_with_emoji(user, object, emoji, options \\ []) do with local <- Keyword.get(options, :local, true), activity_id <- Keyword.get(options, :activity_id, nil), - Pleroma.Emoji.is_unicode_emoji?(emoji), + true <- Pleroma.Emoji.is_unicode_emoji?(emoji), reaction_data <- make_emoji_reaction_data(user, object, emoji, activity_id), {:ok, activity} <- insert(reaction_data, local), {:ok, object} <- add_emoji_reaction_to_object(activity, object), :ok <- maybe_federate(activity) do {:ok, activity, object} + else + e -> {:error, e} end end @@ -345,6 +347,8 @@ defmodule Pleroma.Web.ActivityPub.ActivityPub do {:ok, object} <- remove_emoji_reaction_from_object(reaction_activity, object), :ok <- maybe_federate(activity) do {:ok, activity, object} + else + e -> {:error, e} end end diff --git a/lib/pleroma/web/mastodon_api/views/status_view.ex b/lib/pleroma/web/mastodon_api/views/status_view.ex index e60ef709b..5df29d93f 100644 --- a/lib/pleroma/web/mastodon_api/views/status_view.ex +++ b/lib/pleroma/web/mastodon_api/views/status_view.ex @@ -256,7 +256,11 @@ defmodule Pleroma.Web.MastodonAPI.StatusView do emoji_reactions = with %{data: %{"reactions" => emoji_reactions}} <- object do Enum.map(emoji_reactions, fn [emoji, users] -> - %{emoji: emoji, count: length(users)} + %{ + emoji: emoji, + count: length(users), + reacted: !!(opts[:for] && opts[:for].ap_id in users) + } end) else _ -> [] diff --git a/lib/pleroma/web/pleroma_api/controllers/emoji_api_controller.ex b/lib/pleroma/web/pleroma_api/controllers/emoji_api_controller.ex index 0bbf84fd3..a2f6d2287 100644 --- a/lib/pleroma/web/pleroma_api/controllers/emoji_api_controller.ex +++ b/lib/pleroma/web/pleroma_api/controllers/emoji_api_controller.ex @@ -573,11 +573,14 @@ keeping it in cache for #{div(cache_ms, 1000)}s") assumed to be emojis and stored in the new `pack.json` file. """ def import_from_fs(conn, _params) do - with {:ok, results} <- File.ls(emoji_dir_path()) do + emoji_path = emoji_dir_path() + + with {:ok, %{access: :read_write}} <- File.stat(emoji_path), + {:ok, results} <- File.ls(emoji_path) do imported_pack_names = results |> Enum.filter(fn file -> - dir_path = Path.join(emoji_dir_path(), file) + dir_path = Path.join(emoji_path, file) # Find the directories that do NOT have pack.json File.dir?(dir_path) and not File.exists?(Path.join(dir_path, "pack.json")) end) @@ -585,6 +588,11 @@ keeping it in cache for #{div(cache_ms, 1000)}s") json(conn, imported_pack_names) else + {:ok, %{access: _}} -> + conn + |> put_status(:internal_server_error) + |> json(%{error: "Error: emoji pack directory must be writable"}) + {:error, _} -> conn |> put_status(:internal_server_error) diff --git a/lib/pleroma/web/pleroma_api/controllers/pleroma_api_controller.ex b/lib/pleroma/web/pleroma_api/controllers/pleroma_api_controller.ex index cd1c0764f..d76e39795 100644 --- a/lib/pleroma/web/pleroma_api/controllers/pleroma_api_controller.ex +++ b/lib/pleroma/web/pleroma_api/controllers/pleroma_api_controller.ex @@ -47,13 +47,16 @@ defmodule Pleroma.Web.PleromaAPI.PleromaAPIController do Object.normalize(activity) do reactions = emoji_reactions - |> Enum.map(fn [emoji, users] -> - users = Enum.map(users, &User.get_cached_by_ap_id/1) + |> Enum.map(fn [emoji, user_ap_ids] -> + users = + Enum.map(user_ap_ids, &User.get_cached_by_ap_id/1) + |> Enum.filter(& &1) %{ emoji: emoji, count: length(users), - accounts: AccountView.render("index.json", %{users: users, for: user, as: :user}) + accounts: AccountView.render("index.json", %{users: users, for: user, as: :user}), + reacted: !!(user && user.ap_id in user_ap_ids) } end) diff --git a/lib/pleroma/web/rich_media/parsers/meta_tags_parser.ex b/lib/pleroma/web/rich_media/parsers/meta_tags_parser.ex index c2a3c07a2..fae3c462e 100644 --- a/lib/pleroma/web/rich_media/parsers/meta_tags_parser.ex +++ b/lib/pleroma/web/rich_media/parsers/meta_tags_parser.ex @@ -48,6 +48,6 @@ defmodule Pleroma.Web.RichMedia.Parsers.MetaTagsParser do defp maybe_put_title(meta, _), do: meta defp get_page_title(html) do - Floki.find(html, "title") |> List.first() |> Floki.text() + Floki.find(html, "html head title") |> List.first() |> Floki.text() end end diff --git a/lib/pleroma/web/streamer/worker.ex b/lib/pleroma/web/streamer/worker.ex index a1b445f2f..5392c1ec3 100644 --- a/lib/pleroma/web/streamer/worker.ex +++ b/lib/pleroma/web/streamer/worker.ex @@ -138,7 +138,8 @@ defmodule Pleroma.Web.Streamer.Worker do with parent <- Object.normalize(item) || item, true <- - Enum.all?([blocked_ap_ids, muted_ap_ids, reblog_muted_ap_ids], &(item.actor not in &1)), + Enum.all?([blocked_ap_ids, muted_ap_ids], &(item.actor not in &1)), + true <- item.data["type"] != "Announce" || item.actor not in reblog_muted_ap_ids, true <- Enum.all?([blocked_ap_ids, muted_ap_ids], &(parent.data["actor"] not in &1)), true <- MapSet.disjoint?(recipients, recipient_blocks), %{host: item_host} <- URI.parse(item.actor), |