Commit graph

16666 commits

Author SHA1 Message Date
Mark Felder
427da7a99a Rate Limit the OAuth App spam 2024-09-04 09:22:58 -04:00
feld
fbcfbde833 Merge branch 'revert-9077d092' into 'develop'
Revert "Merge branch 'oauth-app-spam' into 'develop'"

See merge request pleroma/pleroma!4249
2024-09-04 02:41:31 +00:00
feld
92d5f0ac14 Revert "Merge branch 'oauth-app-spam' into 'develop'"
This reverts merge request !4244
2024-09-04 02:22:25 +00:00
marcin mikołajczak
fecfe8bf89 Merge branch 'scrubbers-allow-mention-hashtag' into 'develop'
scrubbers/default: Allow "mention hashtag" classes used by Mastodon

See merge request pleroma/pleroma!4245
2024-09-02 11:08:33 +00:00
marcin mikołajczak
37397a43be scrubbers/default: Allow "mention hashtag" classes used by Mastodon
Signed-off-by: marcin mikołajczak <git@mkljczk.pl>
2024-09-02 12:39:29 +02:00
feld
9077d0925b Merge branch 'oauth-app-spam' into 'develop'
Fix OAuth app spam

See merge request pleroma/pleroma!4244
2024-09-01 18:24:06 +00:00
feld
61e4be396f Merge branch 'drop-unknown-deletes' into 'develop'
Drop unwanted activities from unknown actors

See merge request pleroma/pleroma!4236
2024-09-01 18:08:07 +00:00
Mark Felder
751d63d4bb Support OAuth App updating the website URL 2024-09-01 13:55:45 -04:00
Mark Felder
e3a7c1d906 Test that app scopes can be updated 2024-09-01 12:37:59 -04:00
Mark Felder
5a1144208d Prevent OAuth App flow from creating duplicate entries 2024-09-01 12:27:16 -04:00
Mark Felder
bb235f913f Update changelog 2024-08-30 10:05:12 -04:00
Mark Felder
11ee94ae17 InboxGuardPlug: Add early rejection of unknown activity types 2024-08-30 10:05:09 -04:00
Mark Felder
e38f5f1a81 Add recognized activity types to a constant and use it in the test 2024-08-30 09:47:45 -04:00
feld
5205e846eb Update allowed activity types from strangers
Move is emitted from the old account
EmojiReact is ~ Like
Announced TBD
2024-08-30 09:30:33 -04:00
Mark Felder
094da5d634 Update changelog 2024-08-29 16:05:40 -04:00
Mark Felder
012132303f Test more types we do not want to receive from strangers 2024-08-29 16:05:40 -04:00
Mark Felder
2b39956acb Fix test title to be more specific as it has a broader but incorrect meaning 2024-08-29 16:05:40 -04:00
Mark Felder
990b2058df Remove unnecessary error match in ReceiverWorker 2024-08-29 16:05:40 -04:00
Mark Felder
e2cdae2c88 Change relay inbox response when not federating to a 403 for consistency 2024-08-29 16:05:40 -04:00
Mark Felder
16a9b34876 Convert to an Plug called InboxGuard 2024-08-29 16:05:36 -04:00
Mark Felder
06deacd58e Formatting 2024-08-29 11:59:42 -04:00
Mark Felder
7bcc21ad6f Switch test to the inbox 2024-08-29 11:59:42 -04:00
feld
27fcc42171 Use Pleroma.Object.Containment.get_actor/1 to reliably find the actor of an incoming activity or object 2024-08-29 11:59:42 -04:00
Mark Felder
1c394dd18c Move the check to the inbox 2024-08-29 11:59:42 -04:00
Mark Felder
4bc6f334f4 Revert unintentional change 2024-08-29 11:59:42 -04:00
Mark Felder
ceffb8a891 Drop incoming Delete activities from unknown actors 2024-08-29 11:59:42 -04:00
feld
62856ab18f Merge branch 'todo-fixes' into 'develop'
Clean up Elixir 1.13 TODOs

See merge request pleroma/pleroma!4233
2024-08-29 15:27:53 +00:00
Mark Felder
b5814dc9b3 Merge remote-tracking branch 'origin/develop' into todo-fixes 2024-08-29 11:01:02 -04:00
feld
8d07034608 Merge branch 'pleroma-http-stream' into 'develop'
Pleroma.HTTP: support streaming response bodies

See merge request pleroma/pleroma!4239
2024-08-29 14:54:01 +00:00
Mark Felder
c17a78c55a Rich Media: add stream byte counting as an extra protection against malicious URLs 2024-08-29 09:37:11 -04:00
Mark Felder
d01569822e Changelog 2024-08-28 19:57:18 -04:00
Mark Felder
8ab4dd20df Update comments, remove solved TODO 2024-08-28 19:52:29 -04:00
Mark Felder
0bf82a1745 Add an AdapterHelper for Finch so we can support streaming request bodies 2024-08-28 19:50:51 -04:00
feld
7910b235c7 Merge branch 'user-refresh-oban-tests' into 'develop'
ReceiverWorker: tests, improvements

See merge request pleroma/pleroma!4241
2024-08-28 23:24:33 +00:00
Mark Felder
1821ef4f15 Move user active check into Federator.perform/1 2024-08-28 18:35:09 -04:00
marcin mikołajczak
1e8b79956e Merge branch 'docs-fix' into 'develop'
Correct response in AdminAPI docs

See merge request pleroma/pleroma!4240
2024-08-28 22:04:18 +00:00
Mark Felder
e498d252e4 Changelog update 2024-08-28 18:03:33 -04:00
Mark Felder
8a3efa7152 More error annotations 2024-08-28 18:02:35 -04:00
Mark Felder
c5ca806aa0 Add back one of the duplicate checks to fix a test, document where it comes from 2024-08-28 17:57:34 -04:00
Mark Felder
380a6a6df3 :validate_object is not a real error returned from anywhere 2024-08-28 17:45:31 -04:00
Mark Felder
2346807ac9 Annotate error cases 2024-08-28 17:44:33 -04:00
Mark Felder
2e9515578a ReceiverWorker job canceled due to deleted object 2024-08-28 17:38:13 -04:00
Mark Felder
6ae629cfe0 Cancel ReceiverWorker jobs if the user account has been disabled / deactivated 2024-08-28 17:24:59 -04:00
Mark Felder
bb2f4a76b3 Add test for origin containment failures 2024-08-28 17:01:30 -04:00
Mark Felder
3dadb9ed08 Changelog 2024-08-28 16:37:46 -04:00
Mark Felder
48a4661885 Simplify test, move data into a json fixture
By removing the inReplyTo, tags, and cc we can simplify the test and it still passes signature validation
2024-08-28 16:31:59 -04:00
Mark Felder
66e1b40895 Cancel if the User fetch resulted in a 410 2024-08-28 16:04:12 -04:00
Mark Felder
60101e240d Add test confirming cancellation for activity by a deleted user 2024-08-28 15:54:49 -04:00
Mark Felder
fc450fdefc ReceiverWorker: cancel job if user fetch is forbidden
An instance block with authenticated fetch being required can cause this as we couldn't get the user to find their public key to verify the signature. Commonly observed if someone boosts/Announces a post from an instance that blocked you.
2024-08-28 15:45:16 -04:00
marcin mikołajczak
3419e2cbdd Correct response in AdminAPI docs
Signed-off-by: marcin mikołajczak <git@mkljczk.pl>
2024-08-28 18:28:22 +02:00